From e1c844ec9d0c58ece76fd2872eaa10c8651d8c59 Mon Sep 17 00:00:00 2001 From: Jason Young Date: Wed, 7 Feb 2018 16:50:27 -0800 Subject: [PATCH 01/15] wip: strawman proposal for adding native support for openapi, grpc, and generic rest apis --- apis/v1alpha1/api.proto | 197 +++++++++++++++++++++++++++++++ apis/v1alpha1/http_generic.proto | 131 ++++++++++++++++++++ 2 files changed, 328 insertions(+) create mode 100644 apis/v1alpha1/api.proto create mode 100644 apis/v1alpha1/http_generic.proto diff --git a/apis/v1alpha1/api.proto b/apis/v1alpha1/api.proto new file mode 100644 index 00000000000..d0388b10645 --- /dev/null +++ b/apis/v1alpha1/api.proto @@ -0,0 +1,197 @@ +// Copyright 2017 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package istio.apis.v1alpha1; + +option go_package="istio.io/api/apis/v1alpha1"; + +option (gogoproto.goproto_getters_all) = false; +option (gogoproto.equal_all) = false; +option (gogoproto.gostring_all) = false; + +// OpenAPI v2 specification +// https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md +message OpenApiv2 { + oneof data { + // utf-8 encoding of OpenAPI v2 document written in YAML or JSON. + string yaml = 1; + } +} + +// OpenAPI v3 specification +// https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md +message OpenApiv3 { + oneof data { + // utf-8 encoding of OpenAPI v3 document written in YAML or JSON. + string yaml = 1; + } +} + +// A protobuf descriptor set for a gRPC service. +message Grpc { + oneof data { + // Binary content of the proto descriptor set for the gRPC service. + bytes binary = 1; + } +} + +// API configuration for describing the API surface of a (sub)set of +// services. These API descriptions are used to generate API related +// attibutes. Security definitions, extensions, etc. are preserved but +// not used by Istio. +// +// For example, +// https://github.com/googleapis/gnostic/blob/master/examples/v2.0/yaml/petstore-simple.yaml +// would be encoded with the following: +// +// apiVersion: apis.istio.io/v1alpha1 +// kind: HTTPAPI +// metadata: +// name: petstore +// spec: +// openapiv2: | +// swagger: "2.0" +// info: +// version: "1.0.0" +// title: "Swagger Petstore" +// description: "A sample API that uses a petstore as an example to demonstrate features in the swagger-2.0 specification" +// termsOfService: "http://swagger.io/terms/" +// contact: +// name: "Swagger API Team" +// license: +// name: "MIT" +// host: "petstore.swagger.io" +// basePath: "/api" +// schemes: +// - "http" +// consumes: +// - "application/json" +// produces: +// - "application/json" +// paths: +// /pets: +// get: +// description: "Returns all pets from the system that the user has access to" +// operationId: "findPets" +// produces: +// - "application/json" +// - "application/xml" +// - "text/xml" +// - "text/html" +// parameters: +// - +// name: "tags" +// in: "query" +// description: "tags to filter by" +// required: false +// type: "array" +// items: +// type: "string" +// collectionFormat: "csv" +// ... etc ... +// +// This file could be created from the command line with istioctl, e.g. +// +// istioctl create httpapi petstore --type=openapiv2 --from-file=petstore-simple.yaml +// +message HTTPAPI { + oneof type { + HTTPGeneric http_generic = 1; + OpenAPIv2 openapiv2 = 2; + OpenAPIv3 openapiv3 = 3; + Grpc grpc = 4; + } + + // TODO - how do bind this API to a set of services? + // + // option (1) - define api-to-service binding inline with + // `destination` below. Nice and self-contained, but may require + // duplicate API instances if services are composed of multiple + // smaller services, e.g. every service has a "healthcheck" API. + // + // option (2) - use external binding resource, + // e.g. HTTIAPISpecBinding. Useful for reuseing and composing API + // definitions across sets of services. + // + repeated istio.routing.v1alpha2.Destination destinations = 5; + + // TODO - OpenAPI/gRPC types may be normalized to generic HTTP. This + // could be hidden from the user. Alternatively, it might be useful + // to reflect this back into the user-facing configuration resource + // to aid in debugability. + HTTPGeneric normalized_http = 6; +} + + +///////////////////////////////////////////////////////////////// +// +// NOTE: The HTTPAPIReference and HTTPAPIBinding beow would be used for +// external binding API to a set of services. They aren't needed if +// the inline destination binding option is selected. +// +//////////////////////////////////////////////////////////////// + + + +// HTTPAPIReference defines a reference to an API. This is typically used +// for establishing bindings between an API and an IstioService. For +// example, the following defines an HTTPAPIReference for service `foo` in +// namespace `bar`. +// +// - name: foo +// namespace: bar +// +message HTTPAPIReference { + // REQUIRED. The short name of the API. This is the resource name + // defined by the metadata name field. + string name = 1; + + // Optional namespace of the API. Defaults to the encompassing + // HTTPAPIBinding's metadata namespace field. + string namespace = 2; +} + +// HTTPAPIBinding defines the binding between APIs and one or more +// IstioService. For example, the following establishes a binding +// between the API `petstore` and service `foo` in namespace `bar`. +// +// apiVersion: apis.istio.io/v1alpha2 +// kind: HTTPAPIBinding +// metadata: +// name: my-binding +// namespace: default +// spec: +// services: +// - name: foo +// namespace: bar +// api_specs: +// - name: petstore +// namespace: default +// +message HTTPAPIBinding { + // List of destinations (workloads) that the policy should be applied on. + // If empty, policy will be used on all destinations in the same namespace. + repeated istio.routing.v1alpha2.Destination destinations = 1; + + // TODO - how to bind a set of services to an API spec? Option (1) + // shown below uses an array of references. Alternatively, this + // could use a labels and labelSelectors. + + // REQUIRED. One or more API references that should be mapped to + // the specified service(s). The aggregate collection of match + // conditions defined in the APIs should not overlap. + repeated HTTPAPIReference apis = 2; +} diff --git a/apis/v1alpha1/http_generic.proto b/apis/v1alpha1/http_generic.proto new file mode 100644 index 00000000000..3e65ee38679 --- /dev/null +++ b/apis/v1alpha1/http_generic.proto @@ -0,0 +1,131 @@ +// Copyright 2017 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package istio.apis.v1alpha1; + +option go_package="istio.io/api/apis/v1alpha1"; + +import "gogoproto/gogo.proto"; + +// TODO - promote to a common type? +import "mixer/v1/attributes.proto"; + +// TODO - promote to a common type, or create a new type against the +// same concept? +import "routing/v1alpha2/route_rule.proto"; + +option (gogoproto.goproto_getters_all) = false; +option (gogoproto.equal_all) = false; +option (gogoproto.gostring_all) = false; + +// HTTPAPISpec defines the canonical configuration for generating +// API-related attributes from HTTP requests based on the method and +// uri templated path matches. It is sufficient for defining the API +// surface of a service for the purposes of API attribute +// generation. It is not intended to represent auth, quota, +// documentation, or other information commonly found in other API +// specifications, e.g. OpenAPI. +// +// Existing standards that define operations (or methods) in terms of +// HTTP methods and paths can be normalized to this format for use in +// Istio. For example, a simple petstore API described by OpenAPIv2 +// [here](https://github.com/googleapis/gnostic/blob/master/examples/v2.0/yaml/petstore-simple.yaml) +// can be represented with the following HTTPAPISpec. +// +// apiVersion: apis.istio.io/v1alpha1 +// kind: HTTPAPI +// metadata: +// name: petstore +// namespace: default +// spec: +// generic: +// attributes: +// api.service: petstore.swagger.io +// api.version: 1.0.0 +// patterns: +// - attributes: +// api.operation: findPets +// httpMethod: GET +// uriTemplate: /api/pets +// - attributes: +// api.operation: addPet +// httpMethod: POST +// uriTemplate: /api/pets +// - attributes: +// api.operation: findPetById +// httpMethod: GET +// uriTemplate: /api/pets/{id} +// - attributes: +// api.operation: deletePet +// httpMethod: DELETE +// uriTemplate: /api/pets/{id} +// +message HTTPGeneric { + // List of attributes that are generated when *any* of the HTTP + // patterns match. This list typically includes the "api.service" + // and "api.version" attributes. + Attributes attributes = 1; + + // List of HTTP patterns to match. + repeated HTTPGenericPattern patterns = 2; +} + +// HTTPGenericPattern defines a single pattern to match against +// incoming HTTP requests. The per-pattern list of attributes is +// generated if both the http_method and uri_template match. In +// addition, the top-level list of attributes in the HTTPAPISpec is also +// generated. +// +// pattern: +// - attributes +// api.operation: doFooBar +// httpMethod: GET +// uriTemplate: /foo/bar +// +message HTTPGenericPattern { + // List of attributes that are generated if the HTTP request matches + // the specified http_method and uri_template. This typically + // includes the "api.operation" attribute. + Attributes attributes = 1; + + // HTTP request method to match against as defined by + // [rfc7231](https://tools.ietf.org/html/rfc7231#page-21). For + // example: GET, HEAD, POST, PUT, DELETE. + string http_method = 2; + + oneof pattern { + // URI template to match against as defined by + // [rfc6570](https://tools.ietf.org/html/rfc6570). For example, the + // following are valid URI templates: + // + // /pets + // /pets/{id} + // /dictionary/{term:1}/{term} + // /search{?q*,lang} + // + string uri_template = 3; + + // EXPERIMENTAL: + // + // ecmascript style regex-based match as defined by + // [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). For + // example, + // + // "^/pets/(.*?)?" + // + string regex = 4; + } +} From d8030f3c5ed28bab7ceed547ff216289d8a6c936 Mon Sep 17 00:00:00 2001 From: Jason Young Date: Mon, 12 Feb 2018 17:31:16 -0800 Subject: [PATCH 02/15] add SchemaSource --- apis/v1alpha1/api.proto | 198 +++++++++++----------------------------- 1 file changed, 51 insertions(+), 147 deletions(-) diff --git a/apis/v1alpha1/api.proto b/apis/v1alpha1/api.proto index d0388b10645..3f4599e5aa7 100644 --- a/apis/v1alpha1/api.proto +++ b/apis/v1alpha1/api.proto @@ -1,4 +1,4 @@ -// Copyright 2017 Istio Authors +// Copyright 2018 Istio Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -22,176 +22,80 @@ option (gogoproto.goproto_getters_all) = false; option (gogoproto.equal_all) = false; option (gogoproto.gostring_all) = false; -// OpenAPI v2 specification -// https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md +// SchemeSource defines the source for an API schema. +message SchemaSource { + // External URL reference to source API schema. The reference is + // expected to be immutable and valid for the lifetime of the + // SchemeSource and encompassing API specification. Changing the + // referenced spec after the reference is submitted is undefined + // behavior. + string external = 1; + + // String inlined in the configuration. Binary data should be base64 + // encoded. + string inline_string = 2; +} + +// [OpenAPI v2](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md) message OpenApiv2 { - oneof data { - // utf-8 encoding of OpenAPI v2 document written in YAML or JSON. - string yaml = 1; - } + SchemaSource schema_source = 1; } -// OpenAPI v3 specification -// https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md +// [OpenAPI v3](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md) message OpenApiv3 { - oneof data { - // utf-8 encoding of OpenAPI v3 document written in YAML or JSON. - string yaml = 1; - } + SchemaSource schema_source = 1; } // A protobuf descriptor set for a gRPC service. message Grpc { - oneof data { - // Binary content of the proto descriptor set for the gRPC service. - bytes binary = 1; - } + SchemaSource schema_source = 1; + + // Select the set of services in the descriptor set that this grpc + // definition references. A descriptor set may include multiple + // service definitions, due to dependencies, but only a subset of + // them are served by the specified backend. + repeated string selected_services = 2; } // API configuration for describing the API surface of a (sub)set of // services. These API descriptions are used to generate API related -// attibutes. Security definitions, extensions, etc. are preserved but -// not used by Istio. -// -// For example, -// https://github.com/googleapis/gnostic/blob/master/examples/v2.0/yaml/petstore-simple.yaml -// would be encoded with the following: +// attibutes and enable other API management features, +// e.g. transcoding (when applicable), unify discovery of API services +// within the mesh. Security definitions, extensions, etc. are +// preserved but not used by Istio. // // apiVersion: apis.istio.io/v1alpha1 -// kind: HTTPAPI +// kind: HttpApi // metadata: // name: petstore // spec: -// openapiv2: | -// swagger: "2.0" -// info: -// version: "1.0.0" -// title: "Swagger Petstore" -// description: "A sample API that uses a petstore as an example to demonstrate features in the swagger-2.0 specification" -// termsOfService: "http://swagger.io/terms/" -// contact: -// name: "Swagger API Team" -// license: -// name: "MIT" -// host: "petstore.swagger.io" -// basePath: "/api" -// schemes: -// - "http" -// consumes: -// - "application/json" -// produces: -// - "application/json" -// paths: -// /pets: -// get: -// description: "Returns all pets from the system that the user has access to" -// operationId: "findPets" -// produces: -// - "application/json" -// - "application/xml" -// - "text/xml" -// - "text/html" -// parameters: -// - -// name: "tags" -// in: "query" -// description: "tags to filter by" -// required: false -// type: "array" -// items: -// type: "string" -// collectionFormat: "csv" -// ... etc ... +// openapiv2: +// sourceSchema: +// external: https://github.com/googleapis/gnostic/blob/master/examples/v2.0/yaml/petstore-simple.yaml // -// This file could be created from the command line with istioctl, e.g. -// -// istioctl create httpapi petstore --type=openapiv2 --from-file=petstore-simple.yaml -// -message HTTPAPI { +message HttpApi { oneof type { - HTTPGeneric http_generic = 1; - OpenAPIv2 openapiv2 = 2; - OpenAPIv3 openapiv3 = 3; + HttpGeneric generic = 1; + OpenApiv2 openapiv2 = 2; + OpenApiv3 openapiv3 = 3; Grpc grpc = 4; } - // TODO - how do bind this API to a set of services? - // - // option (1) - define api-to-service binding inline with - // `destination` below. Nice and self-contained, but may require - // duplicate API instances if services are composed of multiple - // smaller services, e.g. every service has a "healthcheck" API. - // - // option (2) - use external binding resource, - // e.g. HTTIAPISpecBinding. Useful for reuseing and composing API - // definitions across sets of services. - // - repeated istio.routing.v1alpha2.Destination destinations = 5; + // List of destination services that this API is bound to. + repeated Destination destinations = 5; - // TODO - OpenAPI/gRPC types may be normalized to generic HTTP. This - // could be hidden from the user. Alternatively, it might be useful - // to reflect this back into the user-facing configuration resource - // to aid in debugability. - HTTPGeneric normalized_http = 6; + // OpenApi and gRPC may be normalized to generic HTTP for API + // attribute generation. This could be hidden from the + // user. Alternatively, it might be useful to reflect this back into + // the user-facing configuration resource to aid in debugability. + HttpGeneric normalized_http = 6; } - -///////////////////////////////////////////////////////////////// +// TODO - This is conceptually similar to the routing API's notion of +// named subsets. Should we reuse those types, or duplicate the types +// customized for our purposes? // -// NOTE: The HTTPAPIReference and HTTPAPIBinding beow would be used for -// external binding API to a set of services. They aren't needed if -// the inline destination binding option is selected. -// -//////////////////////////////////////////////////////////////// - - - -// HTTPAPIReference defines a reference to an API. This is typically used -// for establishing bindings between an API and an IstioService. For -// example, the following defines an HTTPAPIReference for service `foo` in -// namespace `bar`. -// -// - name: foo -// namespace: bar -// -message HTTPAPIReference { - // REQUIRED. The short name of the API. This is the resource name - // defined by the metadata name field. - string name = 1; - - // Optional namespace of the API. Defaults to the encompassing - // HTTPAPIBinding's metadata namespace field. - string namespace = 2; -} - -// HTTPAPIBinding defines the binding between APIs and one or more -// IstioService. For example, the following establishes a binding -// between the API `petstore` and service `foo` in namespace `bar`. -// -// apiVersion: apis.istio.io/v1alpha2 -// kind: HTTPAPIBinding -// metadata: -// name: my-binding -// namespace: default -// spec: -// services: -// - name: foo -// namespace: bar -// api_specs: -// - name: petstore -// namespace: default -// -message HTTPAPIBinding { - // List of destinations (workloads) that the policy should be applied on. - // If empty, policy will be used on all destinations in the same namespace. - repeated istio.routing.v1alpha2.Destination destinations = 1; - - // TODO - how to bind a set of services to an API spec? Option (1) - // shown below uses an array of references. Alternatively, this - // could use a labels and labelSelectors. - - // REQUIRED. One or more API references that should be mapped to - // the specified service(s). The aggregate collection of match - // conditions defined in the APIs should not overlap. - repeated HTTPAPIReference apis = 2; +// This needs to allow for binding an API to a service (i.e. host), +// named subsets using labels, and/or edge proxy (gateway/ingress). +message Destination { } From 29e4fa2db909eed9e1a955bf64f1e623ac70786c Mon Sep 17 00:00:00 2001 From: Jason Young Date: Tue, 13 Feb 2018 16:00:56 -0800 Subject: [PATCH 03/15] refactor schema definition to use google.protobuf.Struct --- Makefile | 20 + apis/v1alpha1/api.pb.go | 1951 +++++++++++++++++++++ apis/v1alpha1/api.proto | 148 +- apis/v1alpha1/http_generic.pb.go | 847 +++++++++ apis/v1alpha1/http_generic.proto | 40 +- apis/v1alpha1/istio.apis.v1alpha1.pb.html | 571 ++++++ 6 files changed, 3526 insertions(+), 51 deletions(-) create mode 100644 apis/v1alpha1/api.pb.go create mode 100644 apis/v1alpha1/http_generic.pb.go create mode 100644 apis/v1alpha1/istio.apis.v1alpha1.pb.html diff --git a/Makefile b/Makefile index 931b63dc50d..d1b43f081fb 100644 --- a/Makefile +++ b/Makefile @@ -301,6 +301,26 @@ clean-rbac-generated: rm -f $(rbac_v1alpha1_pb_gos) rm -f $(rbac_v1alpha1_pb_doc) +##################### +# apis/... +##################### + +apis_v1alpha1_path := apis/v1alpha1 +apis_v1alpha1_protos := $(shell find $(apis_v1alpha1_path) -type f -name '*.proto' | sort) +apis_v1alpha1_pb_gos := $(apis_v1alpha1_protos:.proto=.pb.go) +apis_v1alpha1_pb_doc := $(apis_v1alpha1_path)/istio.apis.v1alpha1.pb.html + +generate-apis-go: $(apis_v1alpha1_pb_gos) $(apis_v1alpha1_pb_doc) + +$(apis_v1alpha1_pb_gos) $(apis_v1alpha1_pb_doc): $(apis_v1alpha1_protos) | depend $(protoc_gen_gogoslick) $(protoc_bin) + ## Generate apis/v1alpha1/*.pb.go + $(apis_v1alpha1_pb_doc) + @$(protoc) $(proto_path) $(gogoslick_plugin) $(protoc_gen_docs_plugin)$(apis_v1alpha1_path) $^ + +clean-apis-generated: + rm -f $(apis_v1alpha1_pb_gos) + rm -f $(apis_v1alpha1_pb_doc) + + ##################### # Cleanup ##################### diff --git a/apis/v1alpha1/api.pb.go b/apis/v1alpha1/api.pb.go new file mode 100644 index 00000000000..bbfcc6b5126 --- /dev/null +++ b/apis/v1alpha1/api.pb.go @@ -0,0 +1,1951 @@ +// Code generated by protoc-gen-gogo. DO NOT EDIT. +// source: apis/v1alpha1/api.proto + +/* + Package v1alpha1 is a generated protocol buffer package. + + $title: APIs + $overview: Configuration for describing the API surface of services and edge load balancers (e.g. ingress). + $location: https://istio.io/docs/reference/config/istio.apis.v1alpha1.html + + It is generated from these files: + apis/v1alpha1/api.proto + apis/v1alpha1/http_generic.proto + + It has these top-level messages: + SchemaSource + OpenApiv2 + OpenApiv3 + Grpc + HttpApi + Destination + PortSelector + HttpGeneric + HttpGenericPattern +*/ +package v1alpha1 + +import proto "github.com/gogo/protobuf/proto" +import fmt "fmt" +import math "math" +import google_protobuf "github.com/golang/protobuf/ptypes/struct" +import _ "github.com/gogo/protobuf/gogoproto" + +import strings "strings" +import reflect "reflect" +import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys" + +import io "io" + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package + +// SchemeSource defines the source for an API schema. +type SchemaSource struct { + // External URL reference to the source API schema. The reference is + // expected to be immutable and valid for the lifetime of the + // SchemeSource and encompassing API specification. Changing the + // referenced spec after the reference is submitted is undefined + // behavior. + External string `protobuf:"bytes,1,opt,name=external,proto3" json:"external,omitempty"` + // String inlined in the configuration. Binary data should be base64 + // encoded. + InlineString string `protobuf:"bytes,2,opt,name=inline_string,json=inlineString,proto3" json:"inline_string,omitempty"` +} + +func (m *SchemaSource) Reset() { *m = SchemaSource{} } +func (*SchemaSource) ProtoMessage() {} +func (*SchemaSource) Descriptor() ([]byte, []int) { return fileDescriptorApi, []int{0} } + +// [OpenAPI v2](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md) +type OpenApiv2 struct { + // Source of the OpenAPI v2 specification for the API. The inline + // string representation should be UTF-8 encoded. + Source *SchemaSource `protobuf:"bytes,1,opt,name=source" json:"source,omitempty"` +} + +func (m *OpenApiv2) Reset() { *m = OpenApiv2{} } +func (*OpenApiv2) ProtoMessage() {} +func (*OpenApiv2) Descriptor() ([]byte, []int) { return fileDescriptorApi, []int{1} } + +// [OpenAPI v3](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md) +type OpenApiv3 struct { + // Source of the OpenAPI v3 specification for the API. The inline + // string representation should be UTF-8 encoded. + Source *SchemaSource `protobuf:"bytes,1,opt,name=source" json:"source,omitempty"` +} + +func (m *OpenApiv3) Reset() { *m = OpenApiv3{} } +func (*OpenApiv3) ProtoMessage() {} +func (*OpenApiv3) Descriptor() ([]byte, []int) { return fileDescriptorApi, []int{2} } + +// A protobuf descriptor set for a gRPC service. +// +// Protocol buffers do not contain descriptions of their own types and +// services. However, the contents of a .proto file itself can be +// represented using protocol buffers (see +// [google/protobuf/descriptor.proto](https://github.com/google/protobuf/blob/master/src/google/protobuf/descriptor.proto)). protoc +// can output a FileDescriptorSet – which represents a set of .proto +// files – using the --descriptor_set_out option. +// +// For example, the following generates the descriptor set from +// bookstore.proto: +// +// protoc -I. --include_imports --include_source_info \ +// --descriptor_set_out=proto.pb test/proto/bookstore.proto +// +// proto2 and proto3 syntax are supported. +type Grpc struct { + // Source of the gRPC specification for the API. The inline + // representation of the protobuf descriptor set should be base64 + // encoded. + Source *SchemaSource `protobuf:"bytes,1,opt,name=source" json:"source,omitempty"` + // Select the set of services in the descriptor set that this grpc + // definition references. A descriptor set may include multiple + // service definitions, due to dependencies, but only a subset of + // them are served by the specified backend. + SelectedServices []string `protobuf:"bytes,2,rep,name=selected_services,json=selectedServices" json:"selected_services,omitempty"` +} + +func (m *Grpc) Reset() { *m = Grpc{} } +func (*Grpc) ProtoMessage() {} +func (*Grpc) Descriptor() ([]byte, []int) { return fileDescriptorApi, []int{3} } + +// API configuration for describing the API surface of a service, +// subset of services, or edge proxies. These API descriptions are +// used to generate API related attibutes and enable other API +// management features, e.g. transcoding (when applicable), unify +// discovery of API services within the mesh. Security definitions, +// extensions, etc. are preserved but not used by Istio. +// +// apiVersion: apis.istio.io/v1alpha1 +// kind: HttpApi +// metadata: +// name: petstore +// spec: +// type: OpenApiv2 +// schema: +// source: +// external: https://github.com/googleapis/gnostic/blob/master/examples/v2.0/yaml/petstore-simple.yaml +// destinations: +// - host: petstore.foo.svc +// labels: +// version: v1 +// port: +// 80 +// +type HttpApi struct { + // The type of API schema that is stored in `schema`. Valid types + // are "OpenApiv2", "OpenApiv3", "Grpc", and "HttpGeneric". + Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"` + // Schema for the API. Valid schema types OpenApiv2, OpenApiv3, + // Grpc, and HttpGeneric in the `apis.istio.io/v1alpha1` apiversion. + Schema *google_protobuf.Struct `protobuf:"bytes,2,opt,name=schema" json:"schema,omitempty"` + // List of destination services that this API is bound + // to. Destinations may be omitted if one or more gateways is + // specified. + Destinations []*Destination `protobuf:"bytes,4,rep,name=destinations" json:"destinations,omitempty"` + // The names of gateways that should apply these API specifications + // as defined by routing.istio.io/v1alpha2/Gateway. Gateways may be + // omitted if one or more destination services is specified. + Gateways []string `protobuf:"bytes,5,rep,name=gateways" json:"gateways,omitempty"` + // openapi v2/v3 and grpc are normalized to the generic form. + Normalized *HttpGeneric `protobuf:"bytes,6,opt,name=normalized" json:"normalized,omitempty"` +} + +func (m *HttpApi) Reset() { *m = HttpApi{} } +func (*HttpApi) ProtoMessage() {} +func (*HttpApi) Descriptor() ([]byte, []int) { return fileDescriptorApi, []int{4} } + +// The intent of this message is to define a destination service +// (name) that can be qualified by subset (labels) and port(s). This +// is uses the same concepts defined by routing's Destination, +// DestinationRule, and Subset messages. I could have used those types +// directly but they included things TrafficPolicy which isn't +// appropriate here. It also seemed unintuitive to require creating +// DestinationRules to apply an API spec. +// +// TODO - other policy (e.g. auth, quota) may want to use simlar +// concepts. Should we introduce a common type for such a purpose and, +// if so, where should it live? +// +type Destination struct { + // REQUIRED. The destination address for traffic captured by this routing + // rule. Could be a DNS name with wildcard prefix or a CIDR + // prefix. Depending on the platform, short-names can also be used + // instead of a FQDN (i.e. has no dots in the name). In such a scenario, + // the FQDN of the host would be derived based on the underlying + // platform. + Host string `protobuf:"bytes,1,opt,name=host,proto3" json:"host,omitempty"` + // Labels defines a subset of endpoints of a service. Subsets can be + // used for scenarios like A/B testing, or routing to a specific + // version of a service. + Labels map[string]string `protobuf:"bytes,2,rep,name=labels" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + // Specifies the port on the destination. Many services only expose a + // single port or label ports with the protocols they support, in these + // cases it is not required to explicitly select the port. Note that + // selection priority is to first match by name and then match by number. + // + // Names must comply with DNS label syntax (rfc1035) and therefore cannot + // collide with numbers. If there are multiple ports on a service with + // the same protocol the names should be of the form -. + Port *PortSelector `protobuf:"bytes,3,opt,name=port" json:"port,omitempty"` +} + +func (m *Destination) Reset() { *m = Destination{} } +func (*Destination) ProtoMessage() {} +func (*Destination) Descriptor() ([]byte, []int) { return fileDescriptorApi, []int{5} } + +// PortSelector specifies the name or number of a port to be used for +// matching or selection for final routing. +type PortSelector struct { + // Types that are valid to be assigned to Port: + // *PortSelector_Number + // *PortSelector_Name + Port isPortSelector_Port `protobuf_oneof:"port"` +} + +func (m *PortSelector) Reset() { *m = PortSelector{} } +func (*PortSelector) ProtoMessage() {} +func (*PortSelector) Descriptor() ([]byte, []int) { return fileDescriptorApi, []int{6} } + +type isPortSelector_Port interface { + isPortSelector_Port() + MarshalTo([]byte) (int, error) + Size() int +} + +type PortSelector_Number struct { + Number uint32 `protobuf:"varint,1,opt,name=number,proto3,oneof"` +} +type PortSelector_Name struct { + Name string `protobuf:"bytes,2,opt,name=name,proto3,oneof"` +} + +func (*PortSelector_Number) isPortSelector_Port() {} +func (*PortSelector_Name) isPortSelector_Port() {} + +func (m *PortSelector) GetPort() isPortSelector_Port { + if m != nil { + return m.Port + } + return nil +} + +func (m *PortSelector) GetNumber() uint32 { + if x, ok := m.GetPort().(*PortSelector_Number); ok { + return x.Number + } + return 0 +} + +func (m *PortSelector) GetName() string { + if x, ok := m.GetPort().(*PortSelector_Name); ok { + return x.Name + } + return "" +} + +// XXX_OneofFuncs is for the internal use of the proto package. +func (*PortSelector) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) { + return _PortSelector_OneofMarshaler, _PortSelector_OneofUnmarshaler, _PortSelector_OneofSizer, []interface{}{ + (*PortSelector_Number)(nil), + (*PortSelector_Name)(nil), + } +} + +func _PortSelector_OneofMarshaler(msg proto.Message, b *proto.Buffer) error { + m := msg.(*PortSelector) + // port + switch x := m.Port.(type) { + case *PortSelector_Number: + _ = b.EncodeVarint(1<<3 | proto.WireVarint) + _ = b.EncodeVarint(uint64(x.Number)) + case *PortSelector_Name: + _ = b.EncodeVarint(2<<3 | proto.WireBytes) + _ = b.EncodeStringBytes(x.Name) + case nil: + default: + return fmt.Errorf("PortSelector.Port has unexpected type %T", x) + } + return nil +} + +func _PortSelector_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) { + m := msg.(*PortSelector) + switch tag { + case 1: // port.number + if wire != proto.WireVarint { + return true, proto.ErrInternalBadWireType + } + x, err := b.DecodeVarint() + m.Port = &PortSelector_Number{uint32(x)} + return true, err + case 2: // port.name + if wire != proto.WireBytes { + return true, proto.ErrInternalBadWireType + } + x, err := b.DecodeStringBytes() + m.Port = &PortSelector_Name{x} + return true, err + default: + return false, nil + } +} + +func _PortSelector_OneofSizer(msg proto.Message) (n int) { + m := msg.(*PortSelector) + // port + switch x := m.Port.(type) { + case *PortSelector_Number: + n += proto.SizeVarint(1<<3 | proto.WireVarint) + n += proto.SizeVarint(uint64(x.Number)) + case *PortSelector_Name: + n += proto.SizeVarint(2<<3 | proto.WireBytes) + n += proto.SizeVarint(uint64(len(x.Name))) + n += len(x.Name) + case nil: + default: + panic(fmt.Sprintf("proto: unexpected type %T in oneof", x)) + } + return n +} + +func init() { + proto.RegisterType((*SchemaSource)(nil), "istio.apis.v1alpha1.SchemaSource") + proto.RegisterType((*OpenApiv2)(nil), "istio.apis.v1alpha1.OpenApiv2") + proto.RegisterType((*OpenApiv3)(nil), "istio.apis.v1alpha1.OpenApiv3") + proto.RegisterType((*Grpc)(nil), "istio.apis.v1alpha1.Grpc") + proto.RegisterType((*HttpApi)(nil), "istio.apis.v1alpha1.HttpApi") + proto.RegisterType((*Destination)(nil), "istio.apis.v1alpha1.Destination") + proto.RegisterType((*PortSelector)(nil), "istio.apis.v1alpha1.PortSelector") +} +func (m *SchemaSource) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SchemaSource) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if len(m.External) > 0 { + dAtA[i] = 0xa + i++ + i = encodeVarintApi(dAtA, i, uint64(len(m.External))) + i += copy(dAtA[i:], m.External) + } + if len(m.InlineString) > 0 { + dAtA[i] = 0x12 + i++ + i = encodeVarintApi(dAtA, i, uint64(len(m.InlineString))) + i += copy(dAtA[i:], m.InlineString) + } + return i, nil +} + +func (m *OpenApiv2) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *OpenApiv2) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if m.Source != nil { + dAtA[i] = 0xa + i++ + i = encodeVarintApi(dAtA, i, uint64(m.Source.Size())) + n1, err := m.Source.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n1 + } + return i, nil +} + +func (m *OpenApiv3) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *OpenApiv3) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if m.Source != nil { + dAtA[i] = 0xa + i++ + i = encodeVarintApi(dAtA, i, uint64(m.Source.Size())) + n2, err := m.Source.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n2 + } + return i, nil +} + +func (m *Grpc) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *Grpc) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if m.Source != nil { + dAtA[i] = 0xa + i++ + i = encodeVarintApi(dAtA, i, uint64(m.Source.Size())) + n3, err := m.Source.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n3 + } + if len(m.SelectedServices) > 0 { + for _, s := range m.SelectedServices { + dAtA[i] = 0x12 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + return i, nil +} + +func (m *HttpApi) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *HttpApi) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if len(m.Type) > 0 { + dAtA[i] = 0xa + i++ + i = encodeVarintApi(dAtA, i, uint64(len(m.Type))) + i += copy(dAtA[i:], m.Type) + } + if m.Schema != nil { + dAtA[i] = 0x12 + i++ + i = encodeVarintApi(dAtA, i, uint64(m.Schema.Size())) + n4, err := m.Schema.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n4 + } + if len(m.Destinations) > 0 { + for _, msg := range m.Destinations { + dAtA[i] = 0x22 + i++ + i = encodeVarintApi(dAtA, i, uint64(msg.Size())) + n, err := msg.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n + } + } + if len(m.Gateways) > 0 { + for _, s := range m.Gateways { + dAtA[i] = 0x2a + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } + if m.Normalized != nil { + dAtA[i] = 0x32 + i++ + i = encodeVarintApi(dAtA, i, uint64(m.Normalized.Size())) + n5, err := m.Normalized.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n5 + } + return i, nil +} + +func (m *Destination) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *Destination) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if len(m.Host) > 0 { + dAtA[i] = 0xa + i++ + i = encodeVarintApi(dAtA, i, uint64(len(m.Host))) + i += copy(dAtA[i:], m.Host) + } + if len(m.Labels) > 0 { + for k, _ := range m.Labels { + dAtA[i] = 0x12 + i++ + v := m.Labels[k] + mapSize := 1 + len(k) + sovApi(uint64(len(k))) + 1 + len(v) + sovApi(uint64(len(v))) + i = encodeVarintApi(dAtA, i, uint64(mapSize)) + dAtA[i] = 0xa + i++ + i = encodeVarintApi(dAtA, i, uint64(len(k))) + i += copy(dAtA[i:], k) + dAtA[i] = 0x12 + i++ + i = encodeVarintApi(dAtA, i, uint64(len(v))) + i += copy(dAtA[i:], v) + } + } + if m.Port != nil { + dAtA[i] = 0x1a + i++ + i = encodeVarintApi(dAtA, i, uint64(m.Port.Size())) + n6, err := m.Port.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n6 + } + return i, nil +} + +func (m *PortSelector) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *PortSelector) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if m.Port != nil { + nn7, err := m.Port.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += nn7 + } + return i, nil +} + +func (m *PortSelector_Number) MarshalTo(dAtA []byte) (int, error) { + i := 0 + dAtA[i] = 0x8 + i++ + i = encodeVarintApi(dAtA, i, uint64(m.Number)) + return i, nil +} +func (m *PortSelector_Name) MarshalTo(dAtA []byte) (int, error) { + i := 0 + dAtA[i] = 0x12 + i++ + i = encodeVarintApi(dAtA, i, uint64(len(m.Name))) + i += copy(dAtA[i:], m.Name) + return i, nil +} +func encodeVarintApi(dAtA []byte, offset int, v uint64) int { + for v >= 1<<7 { + dAtA[offset] = uint8(v&0x7f | 0x80) + v >>= 7 + offset++ + } + dAtA[offset] = uint8(v) + return offset + 1 +} +func (m *SchemaSource) Size() (n int) { + var l int + _ = l + l = len(m.External) + if l > 0 { + n += 1 + l + sovApi(uint64(l)) + } + l = len(m.InlineString) + if l > 0 { + n += 1 + l + sovApi(uint64(l)) + } + return n +} + +func (m *OpenApiv2) Size() (n int) { + var l int + _ = l + if m.Source != nil { + l = m.Source.Size() + n += 1 + l + sovApi(uint64(l)) + } + return n +} + +func (m *OpenApiv3) Size() (n int) { + var l int + _ = l + if m.Source != nil { + l = m.Source.Size() + n += 1 + l + sovApi(uint64(l)) + } + return n +} + +func (m *Grpc) Size() (n int) { + var l int + _ = l + if m.Source != nil { + l = m.Source.Size() + n += 1 + l + sovApi(uint64(l)) + } + if len(m.SelectedServices) > 0 { + for _, s := range m.SelectedServices { + l = len(s) + n += 1 + l + sovApi(uint64(l)) + } + } + return n +} + +func (m *HttpApi) Size() (n int) { + var l int + _ = l + l = len(m.Type) + if l > 0 { + n += 1 + l + sovApi(uint64(l)) + } + if m.Schema != nil { + l = m.Schema.Size() + n += 1 + l + sovApi(uint64(l)) + } + if len(m.Destinations) > 0 { + for _, e := range m.Destinations { + l = e.Size() + n += 1 + l + sovApi(uint64(l)) + } + } + if len(m.Gateways) > 0 { + for _, s := range m.Gateways { + l = len(s) + n += 1 + l + sovApi(uint64(l)) + } + } + if m.Normalized != nil { + l = m.Normalized.Size() + n += 1 + l + sovApi(uint64(l)) + } + return n +} + +func (m *Destination) Size() (n int) { + var l int + _ = l + l = len(m.Host) + if l > 0 { + n += 1 + l + sovApi(uint64(l)) + } + if len(m.Labels) > 0 { + for k, v := range m.Labels { + _ = k + _ = v + mapEntrySize := 1 + len(k) + sovApi(uint64(len(k))) + 1 + len(v) + sovApi(uint64(len(v))) + n += mapEntrySize + 1 + sovApi(uint64(mapEntrySize)) + } + } + if m.Port != nil { + l = m.Port.Size() + n += 1 + l + sovApi(uint64(l)) + } + return n +} + +func (m *PortSelector) Size() (n int) { + var l int + _ = l + if m.Port != nil { + n += m.Port.Size() + } + return n +} + +func (m *PortSelector_Number) Size() (n int) { + var l int + _ = l + n += 1 + sovApi(uint64(m.Number)) + return n +} +func (m *PortSelector_Name) Size() (n int) { + var l int + _ = l + l = len(m.Name) + n += 1 + l + sovApi(uint64(l)) + return n +} + +func sovApi(x uint64) (n int) { + for { + n++ + x >>= 7 + if x == 0 { + break + } + } + return n +} +func sozApi(x uint64) (n int) { + return sovApi(uint64((x << 1) ^ uint64((int64(x) >> 63)))) +} +func (this *SchemaSource) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SchemaSource{`, + `External:` + fmt.Sprintf("%v", this.External) + `,`, + `InlineString:` + fmt.Sprintf("%v", this.InlineString) + `,`, + `}`, + }, "") + return s +} +func (this *OpenApiv2) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&OpenApiv2{`, + `Source:` + strings.Replace(fmt.Sprintf("%v", this.Source), "SchemaSource", "SchemaSource", 1) + `,`, + `}`, + }, "") + return s +} +func (this *OpenApiv3) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&OpenApiv3{`, + `Source:` + strings.Replace(fmt.Sprintf("%v", this.Source), "SchemaSource", "SchemaSource", 1) + `,`, + `}`, + }, "") + return s +} +func (this *Grpc) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&Grpc{`, + `Source:` + strings.Replace(fmt.Sprintf("%v", this.Source), "SchemaSource", "SchemaSource", 1) + `,`, + `SelectedServices:` + fmt.Sprintf("%v", this.SelectedServices) + `,`, + `}`, + }, "") + return s +} +func (this *HttpApi) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&HttpApi{`, + `Type:` + fmt.Sprintf("%v", this.Type) + `,`, + `Schema:` + strings.Replace(fmt.Sprintf("%v", this.Schema), "Struct", "google_protobuf.Struct", 1) + `,`, + `Destinations:` + strings.Replace(fmt.Sprintf("%v", this.Destinations), "Destination", "Destination", 1) + `,`, + `Gateways:` + fmt.Sprintf("%v", this.Gateways) + `,`, + `Normalized:` + strings.Replace(fmt.Sprintf("%v", this.Normalized), "HttpGeneric", "HttpGeneric", 1) + `,`, + `}`, + }, "") + return s +} +func (this *Destination) String() string { + if this == nil { + return "nil" + } + keysForLabels := make([]string, 0, len(this.Labels)) + for k, _ := range this.Labels { + keysForLabels = append(keysForLabels, k) + } + github_com_gogo_protobuf_sortkeys.Strings(keysForLabels) + mapStringForLabels := "map[string]string{" + for _, k := range keysForLabels { + mapStringForLabels += fmt.Sprintf("%v: %v,", k, this.Labels[k]) + } + mapStringForLabels += "}" + s := strings.Join([]string{`&Destination{`, + `Host:` + fmt.Sprintf("%v", this.Host) + `,`, + `Labels:` + mapStringForLabels + `,`, + `Port:` + strings.Replace(fmt.Sprintf("%v", this.Port), "PortSelector", "PortSelector", 1) + `,`, + `}`, + }, "") + return s +} +func (this *PortSelector) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PortSelector{`, + `Port:` + fmt.Sprintf("%v", this.Port) + `,`, + `}`, + }, "") + return s +} +func (this *PortSelector_Number) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PortSelector_Number{`, + `Number:` + fmt.Sprintf("%v", this.Number) + `,`, + `}`, + }, "") + return s +} +func (this *PortSelector_Name) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&PortSelector_Name{`, + `Name:` + fmt.Sprintf("%v", this.Name) + `,`, + `}`, + }, "") + return s +} +func valueToStringApi(v interface{}) string { + rv := reflect.ValueOf(v) + if rv.IsNil() { + return "nil" + } + pv := reflect.Indirect(rv).Interface() + return fmt.Sprintf("*%v", pv) +} +func (m *SchemaSource) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SchemaSource: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SchemaSource: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field External", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.External = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field InlineString", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.InlineString = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipApi(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthApi + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *OpenApiv2) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: OpenApiv2: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: OpenApiv2: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Source == nil { + m.Source = &SchemaSource{} + } + if err := m.Source.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipApi(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthApi + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *OpenApiv3) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: OpenApiv3: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: OpenApiv3: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Source == nil { + m.Source = &SchemaSource{} + } + if err := m.Source.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipApi(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthApi + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *Grpc) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: Grpc: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: Grpc: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Source == nil { + m.Source = &SchemaSource{} + } + if err := m.Source.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field SelectedServices", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.SelectedServices = append(m.SelectedServices, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipApi(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthApi + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *HttpApi) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: HttpApi: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: HttpApi: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Type = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Schema", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Schema == nil { + m.Schema = &google_protobuf.Struct{} + } + if err := m.Schema.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Destinations", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Destinations = append(m.Destinations, &Destination{}) + if err := m.Destinations[len(m.Destinations)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 5: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Gateways", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Gateways = append(m.Gateways, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 6: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Normalized", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Normalized == nil { + m.Normalized = &HttpGeneric{} + } + if err := m.Normalized.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipApi(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthApi + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *Destination) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: Destination: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: Destination: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Host = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Labels", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Labels == nil { + m.Labels = make(map[string]string) + } + var mapkey string + var mapvalue string + for iNdEx < postIndex { + entryPreIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + if fieldNum == 1 { + var stringLenmapkey uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLenmapkey |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLenmapkey := int(stringLenmapkey) + if intStringLenmapkey < 0 { + return ErrInvalidLengthApi + } + postStringIndexmapkey := iNdEx + intStringLenmapkey + if postStringIndexmapkey > l { + return io.ErrUnexpectedEOF + } + mapkey = string(dAtA[iNdEx:postStringIndexmapkey]) + iNdEx = postStringIndexmapkey + } else if fieldNum == 2 { + var stringLenmapvalue uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLenmapvalue |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLenmapvalue := int(stringLenmapvalue) + if intStringLenmapvalue < 0 { + return ErrInvalidLengthApi + } + postStringIndexmapvalue := iNdEx + intStringLenmapvalue + if postStringIndexmapvalue > l { + return io.ErrUnexpectedEOF + } + mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue]) + iNdEx = postStringIndexmapvalue + } else { + iNdEx = entryPreIndex + skippy, err := skipApi(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthApi + } + if (iNdEx + skippy) > postIndex { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + m.Labels[mapkey] = mapvalue + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Port == nil { + m.Port = &PortSelector{} + } + if err := m.Port.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipApi(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthApi + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *PortSelector) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: PortSelector: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: PortSelector: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Number", wireType) + } + var v uint32 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= (uint32(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + m.Port = &PortSelector_Number{v} + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowApi + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthApi + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Port = &PortSelector_Name{string(dAtA[iNdEx:postIndex])} + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipApi(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthApi + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func skipApi(dAtA []byte) (n int, err error) { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowApi + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + wireType := int(wire & 0x7) + switch wireType { + case 0: + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowApi + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + iNdEx++ + if dAtA[iNdEx-1] < 0x80 { + break + } + } + return iNdEx, nil + case 1: + iNdEx += 8 + return iNdEx, nil + case 2: + var length int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowApi + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + length |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + iNdEx += length + if length < 0 { + return 0, ErrInvalidLengthApi + } + return iNdEx, nil + case 3: + for { + var innerWire uint64 + var start int = iNdEx + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowApi + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + innerWire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + innerWireType := int(innerWire & 0x7) + if innerWireType == 4 { + break + } + next, err := skipApi(dAtA[start:]) + if err != nil { + return 0, err + } + iNdEx = start + next + } + return iNdEx, nil + case 4: + return iNdEx, nil + case 5: + iNdEx += 4 + return iNdEx, nil + default: + return 0, fmt.Errorf("proto: illegal wireType %d", wireType) + } + } + panic("unreachable") +} + +var ( + ErrInvalidLengthApi = fmt.Errorf("proto: negative length found during unmarshaling") + ErrIntOverflowApi = fmt.Errorf("proto: integer overflow") +) + +func init() { proto.RegisterFile("apis/v1alpha1/api.proto", fileDescriptorApi) } + +var fileDescriptorApi = []byte{ + // 567 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x54, 0x41, 0x6f, 0xd3, 0x30, + 0x14, 0x4e, 0xd6, 0x2e, 0x50, 0xa7, 0x93, 0x86, 0xa9, 0xb4, 0xa8, 0x42, 0x56, 0x29, 0x97, 0x4a, + 0xa0, 0x44, 0xeb, 0x84, 0xc4, 0x38, 0xb1, 0xa9, 0x6c, 0x3d, 0x4c, 0x1a, 0x4a, 0x6e, 0x5c, 0x2a, + 0x37, 0x35, 0xa9, 0x45, 0x6a, 0x5b, 0xb6, 0x5b, 0x28, 0x27, 0x7e, 0x02, 0x3f, 0x83, 0x9f, 0xb2, + 0xe3, 0x8e, 0x70, 0xa3, 0xe1, 0xc2, 0x71, 0xe2, 0x17, 0xa0, 0x38, 0xe9, 0x48, 0xa5, 0x0a, 0x0e, + 0xbb, 0xbd, 0xf7, 0xfc, 0xbd, 0xcf, 0xef, 0xf3, 0xf7, 0x12, 0x70, 0x80, 0x05, 0x55, 0xc1, 0xe2, + 0x10, 0xa7, 0x62, 0x8a, 0x0f, 0x03, 0x2c, 0xa8, 0x2f, 0x24, 0xd7, 0x1c, 0x3e, 0xa4, 0x4a, 0x53, + 0xee, 0xe7, 0xc7, 0xfe, 0xfa, 0xb8, 0xfd, 0x28, 0xe1, 0x3c, 0x49, 0x49, 0x60, 0x20, 0xe3, 0xf9, + 0xbb, 0x40, 0x69, 0x39, 0x8f, 0x75, 0xd1, 0xd2, 0x6e, 0x25, 0x3c, 0xe1, 0x26, 0x0c, 0xf2, 0xa8, + 0xac, 0x76, 0x36, 0x6f, 0x98, 0x6a, 0x2d, 0x46, 0x09, 0x61, 0x44, 0xd2, 0xb8, 0x40, 0x74, 0x2f, + 0x41, 0x33, 0x8a, 0xa7, 0x64, 0x86, 0x23, 0x3e, 0x97, 0x31, 0x81, 0x6d, 0x70, 0x9f, 0x7c, 0xd4, + 0x44, 0x32, 0x9c, 0x7a, 0x76, 0xc7, 0xee, 0x35, 0xc2, 0xdb, 0x1c, 0x3e, 0x01, 0x7b, 0x94, 0xa5, + 0x94, 0x91, 0x91, 0xd2, 0x92, 0xb2, 0xc4, 0xdb, 0x31, 0x80, 0x66, 0x51, 0x8c, 0x4c, 0xad, 0x7b, + 0x06, 0x1a, 0x97, 0x82, 0xb0, 0x13, 0x41, 0x17, 0x7d, 0x78, 0x0c, 0x1c, 0x65, 0x78, 0x0d, 0x97, + 0xdb, 0x7f, 0xec, 0x6f, 0x51, 0xe6, 0x57, 0x07, 0x08, 0xcb, 0x86, 0x2a, 0xcf, 0xd1, 0x5d, 0x78, + 0x18, 0xa8, 0x9f, 0x4b, 0x11, 0xdf, 0x81, 0x02, 0x3e, 0x05, 0x0f, 0x14, 0x49, 0x49, 0xac, 0xc9, + 0x64, 0xa4, 0x88, 0x5c, 0xd0, 0x98, 0x28, 0x6f, 0xa7, 0x53, 0xeb, 0x35, 0xc2, 0xfd, 0xf5, 0x41, + 0x54, 0xd6, 0xbb, 0xbf, 0x6d, 0x70, 0x6f, 0xa8, 0xb5, 0x38, 0x11, 0x14, 0x42, 0x50, 0xd7, 0x4b, + 0x41, 0xca, 0x87, 0x34, 0x31, 0x0c, 0x80, 0xa3, 0xcc, 0x25, 0xe6, 0xf5, 0xdc, 0xfe, 0x81, 0x5f, + 0xf8, 0xea, 0xaf, 0x7d, 0xf5, 0x23, 0xe3, 0x6b, 0x58, 0xc2, 0xe0, 0x00, 0x34, 0x27, 0x44, 0x69, + 0xca, 0xb0, 0xa6, 0x9c, 0x29, 0xaf, 0xde, 0xa9, 0xf5, 0xdc, 0x7e, 0x67, 0xeb, 0xf8, 0x83, 0xbf, + 0xc0, 0x70, 0xa3, 0x2b, 0xf7, 0x35, 0xc1, 0x9a, 0x7c, 0xc0, 0x4b, 0xe5, 0xed, 0x9a, 0xd1, 0x6f, + 0x73, 0xf8, 0x0a, 0x00, 0xc6, 0xe5, 0x0c, 0xa7, 0xf4, 0x13, 0x99, 0x78, 0x8e, 0x19, 0x6b, 0x3b, + 0x7f, 0x2e, 0xec, 0xbc, 0xd8, 0x9f, 0xb0, 0xd2, 0xd3, 0xfd, 0x6e, 0x03, 0xb7, 0x72, 0x77, 0x2e, + 0x7c, 0xca, 0x95, 0x5e, 0x0b, 0xcf, 0x63, 0x38, 0x00, 0x4e, 0x8a, 0xc7, 0x24, 0x2d, 0x9e, 0xce, + 0xed, 0x3f, 0xfb, 0x9f, 0x02, 0xff, 0xc2, 0xc0, 0x5f, 0x33, 0x2d, 0x97, 0x61, 0xd9, 0x0b, 0x9f, + 0x83, 0xba, 0xe0, 0x52, 0x7b, 0xb5, 0x7f, 0x98, 0xf8, 0x86, 0x4b, 0x1d, 0x19, 0x5f, 0xb8, 0x0c, + 0x0d, 0xbc, 0x7d, 0x0c, 0xdc, 0x0a, 0x1b, 0xdc, 0x07, 0xb5, 0xf7, 0x64, 0x59, 0x8e, 0x97, 0x87, + 0xb0, 0x05, 0x76, 0x17, 0x38, 0x9d, 0x93, 0x72, 0xa7, 0x8b, 0xe4, 0xe5, 0xce, 0x0b, 0xbb, 0x7b, + 0x06, 0x9a, 0x55, 0x42, 0xe8, 0x01, 0x87, 0xcd, 0x67, 0x63, 0x22, 0x4d, 0xfb, 0xde, 0xd0, 0x0a, + 0xcb, 0x1c, 0xb6, 0x40, 0x9d, 0xe1, 0x59, 0x49, 0x31, 0xb4, 0x42, 0x93, 0x9d, 0x3a, 0xc5, 0xc4, + 0xa7, 0x17, 0x57, 0x2b, 0x64, 0x5d, 0xaf, 0x90, 0xf5, 0x6d, 0x85, 0xac, 0x9b, 0x15, 0xb2, 0x3e, + 0x67, 0xc8, 0xfe, 0x9a, 0x21, 0xeb, 0x2a, 0x43, 0xf6, 0x75, 0x86, 0xec, 0x1f, 0x19, 0xb2, 0x7f, + 0x65, 0xc8, 0xba, 0xc9, 0x90, 0xfd, 0xe5, 0x27, 0xb2, 0xde, 0xb6, 0x0b, 0x71, 0x94, 0xe7, 0xbf, + 0x86, 0x60, 0xe3, 0x53, 0x1e, 0x3b, 0x66, 0x5d, 0x8e, 0xfe, 0x04, 0x00, 0x00, 0xff, 0xff, 0x0d, + 0x8d, 0x00, 0x06, 0x44, 0x04, 0x00, 0x00, +} diff --git a/apis/v1alpha1/api.proto b/apis/v1alpha1/api.proto index 3f4599e5aa7..a8752e92d50 100644 --- a/apis/v1alpha1/api.proto +++ b/apis/v1alpha1/api.proto @@ -14,6 +14,13 @@ syntax = "proto3"; +import "google/protobuf/struct.proto"; +import "gogoproto/gogo.proto"; +import "apis/v1alpha1/http_generic.proto"; + +// $title: APIs +// $overview: Configuration for describing the API surface of services and edge load balancers (e.g. ingress). +// $location: https://istio.io/docs/reference/config/istio.apis.v1alpha1.html package istio.apis.v1alpha1; option go_package="istio.io/api/apis/v1alpha1"; @@ -24,7 +31,7 @@ option (gogoproto.gostring_all) = false; // SchemeSource defines the source for an API schema. message SchemaSource { - // External URL reference to source API schema. The reference is + // External URL reference to the source API schema. The reference is // expected to be immutable and valid for the lifetime of the // SchemeSource and encompassing API specification. Changing the // referenced spec after the reference is submitted is undefined @@ -38,64 +45,145 @@ message SchemaSource { // [OpenAPI v2](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md) message OpenApiv2 { - SchemaSource schema_source = 1; + // Source of the OpenAPI v2 specification for the API. The inline + // string representation should be UTF-8 encoded. + SchemaSource source = 1; } // [OpenAPI v3](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md) message OpenApiv3 { - SchemaSource schema_source = 1; + // Source of the OpenAPI v3 specification for the API. The inline + // string representation should be UTF-8 encoded. + SchemaSource source = 1; } // A protobuf descriptor set for a gRPC service. +// +// Protocol buffers do not contain descriptions of their own types and +// services. However, the contents of a .proto file itself can be +// represented using protocol buffers (see +// [google/protobuf/descriptor.proto](https://github.com/google/protobuf/blob/master/src/google/protobuf/descriptor.proto)). protoc +// can output a FileDescriptorSet – which represents a set of .proto +// files – using the --descriptor_set_out option. +// +// For example, the following generates the descriptor set from +// bookstore.proto: +// +// protoc -I. --include_imports --include_source_info \ +// --descriptor_set_out=proto.pb test/proto/bookstore.proto +// +// proto2 and proto3 syntax are supported. message Grpc { - SchemaSource schema_source = 1; + // Source of the gRPC specification for the API. The inline + // representation of the protobuf descriptor set should be base64 + // encoded. + SchemaSource source = 1; // Select the set of services in the descriptor set that this grpc // definition references. A descriptor set may include multiple // service definitions, due to dependencies, but only a subset of // them are served by the specified backend. repeated string selected_services = 2; + + // TODO - I believe we would want to insert gRPC-to-JSON + // transcoding_after_ policy checks, in which case API policy can be + // written against attributes generated directly from the grpc + // service. If transcoding occurs earlier, before attribute + // generation, then we would need to create method/path-to-operation + // mappings using the protobuf http annotations. } -// API configuration for describing the API surface of a (sub)set of -// services. These API descriptions are used to generate API related -// attibutes and enable other API management features, -// e.g. transcoding (when applicable), unify discovery of API services -// within the mesh. Security definitions, extensions, etc. are -// preserved but not used by Istio. +// API configuration for describing the API surface of a service, +// subset of services, or edge proxies. These API descriptions are +// used to generate API related attibutes and enable other API +// management features, e.g. transcoding (when applicable), unify +// discovery of API services within the mesh. Security definitions, +// extensions, etc. are preserved but not used by Istio. // // apiVersion: apis.istio.io/v1alpha1 // kind: HttpApi // metadata: // name: petstore // spec: -// openapiv2: -// sourceSchema: +// type: OpenApiv2 +// schema: +// source: // external: https://github.com/googleapis/gnostic/blob/master/examples/v2.0/yaml/petstore-simple.yaml +// destinations: +// - host: petstore.foo.svc +// labels: +// version: v1 +// port: +// 80 // message HttpApi { - oneof type { - HttpGeneric generic = 1; - OpenApiv2 openapiv2 = 2; - OpenApiv3 openapiv3 = 3; - Grpc grpc = 4; - } + // The type of API schema that is stored in `schema`. Valid types + // are "OpenApiv2", "OpenApiv3", "Grpc", and "HttpGeneric". + string type = 1; - // List of destination services that this API is bound to. - repeated Destination destinations = 5; + // Schema for the API. Valid schema types OpenApiv2, OpenApiv3, + // Grpc, and HttpGeneric in the `apis.istio.io/v1alpha1` apiversion. + google.protobuf.Struct schema = 2; - // OpenApi and gRPC may be normalized to generic HTTP for API - // attribute generation. This could be hidden from the - // user. Alternatively, it might be useful to reflect this back into - // the user-facing configuration resource to aid in debugability. - HttpGeneric normalized_http = 6; + // List of destination services that this API is bound + // to. Destinations may be omitted if one or more gateways is + // specified. + repeated Destination destinations = 4; + + // The names of gateways that should apply these API specifications + // as defined by routing.istio.io/v1alpha2/Gateway. Gateways may be + // omitted if one or more destination services is specified. + repeated string gateways = 5; + + // openapi v2/v3 and grpc are normalized to the generic form. + HttpGeneric normalized = 6; } -// TODO - This is conceptually similar to the routing API's notion of -// named subsets. Should we reuse those types, or duplicate the types -// customized for our purposes? +// The intent of this message is to define a destination service +// (name) that can be qualified by subset (labels) and port(s). This +// is uses the same concepts defined by routing's Destination, +// DestinationRule, and Subset messages. I could have used those types +// directly but they included things TrafficPolicy which isn't +// appropriate here. It also seemed unintuitive to require creating +// DestinationRules to apply an API spec. +// +// TODO - other policy (e.g. auth, quota) may want to use simlar +// concepts. Should we introduce a common type for such a purpose and, +// if so, where should it live? // -// This needs to allow for binding an API to a service (i.e. host), -// named subsets using labels, and/or edge proxy (gateway/ingress). message Destination { + // REQUIRED. The destination address for traffic captured by this routing + // rule. Could be a DNS name with wildcard prefix or a CIDR + // prefix. Depending on the platform, short-names can also be used + // instead of a FQDN (i.e. has no dots in the name). In such a scenario, + // the FQDN of the host would be derived based on the underlying + // platform. + string host = 1; + + // Labels defines a subset of endpoints of a service. Subsets can be + // used for scenarios like A/B testing, or routing to a specific + // version of a service. + map labels = 2; + + // Specifies the port on the destination. Many services only expose a + // single port or label ports with the protocols they support, in these + // cases it is not required to explicitly select the port. Note that + // selection priority is to first match by name and then match by number. + // + // Names must comply with DNS label syntax (rfc1035) and therefore cannot + // collide with numbers. If there are multiple ports on a service with + // the same protocol the names should be of the form -. + PortSelector port = 3; +} + +// PortSelector specifies the name or number of a port to be used for +// matching or selection for final routing. +message PortSelector { + oneof port { + // Valid port number + uint32 number = 1; + // Port name + string name = 2; + } } diff --git a/apis/v1alpha1/http_generic.pb.go b/apis/v1alpha1/http_generic.pb.go new file mode 100644 index 00000000000..23013be11b0 --- /dev/null +++ b/apis/v1alpha1/http_generic.pb.go @@ -0,0 +1,847 @@ +// Code generated by protoc-gen-gogo. DO NOT EDIT. +// source: apis/v1alpha1/http_generic.proto + +package v1alpha1 + +import proto "github.com/gogo/protobuf/proto" +import fmt "fmt" +import math "math" +import _ "github.com/gogo/protobuf/gogoproto" +import istio_mixer_v1 "istio.io/api/mixer/v1" + +import strings "strings" +import reflect "reflect" + +import io "io" + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// HttpAPISpec defines the canonical configuration for generating +// API-related attributes from Http requests based on the method and +// uri templated path matches. It is sufficient for defining the API +// surface of a service for the purposes of API attribute +// generation. It is not intended to represent auth, quota, +// documentation, or other information commonly found in other API +// specifications, e.g. OpenAPI. +// +// Existing standards that define operations (or methods) in terms of +// Http methods and paths can be normalized to this format for use in +// Istio. For example, a simple petstore API described by OpenAPIv2 +// [here](https://github.com/googleapis/gnostic/blob/master/examples/v2.0/yaml/petstore-simple.yaml) +// can be represented with the following HttpAPISpec. +// +// apiVersion: apis.istio.io/v1alpha1 +// kind: HttpAPI +// metadata: +// name: petstore +// namespace: default +// spec: +// generic: +// attributes: +// api.service: petstore.swagger.io +// api.version: 1.0.0 +// patterns: +// - attributes: +// api.operation: findPets +// httpMethod: GET +// uriTemplate: /api/pets +// - attributes: +// api.operation: addPet +// httpMethod: POST +// uriTemplate: /api/pets +// - attributes: +// api.operation: findPetById +// httpMethod: GET +// uriTemplate: /api/pets/{id} +// - attributes: +// api.operation: deletePet +// httpMethod: DELETE +// uriTemplate: /api/pets/{id} +// +type HttpGeneric struct { + // List of attributes that are generated when *any* of the Http + // patterns match. This list typically includes the "api.service" + // and "api.version" attributes. + Attributes *istio_mixer_v1.Attributes `protobuf:"bytes,1,opt,name=attributes" json:"attributes,omitempty"` + // List of Http patterns to match. + Patterns []*HttpGenericPattern `protobuf:"bytes,2,rep,name=patterns" json:"patterns,omitempty"` +} + +func (m *HttpGeneric) Reset() { *m = HttpGeneric{} } +func (*HttpGeneric) ProtoMessage() {} +func (*HttpGeneric) Descriptor() ([]byte, []int) { return fileDescriptorHttpGeneric, []int{0} } + +// HttpGenericPattern defines a single pattern to match against +// incoming Http requests. The per-pattern list of attributes is +// generated if both the http_method and uri_template match. In +// addition, the top-level list of attributes in the HttpAPISpec is also +// generated. +// +// pattern: +// - attributes +// api.operation: doFooBar +// httpMethod: GET +// uriTemplate: /foo/bar +// +type HttpGenericPattern struct { + // List of attributes that are generated if the Http request matches + // the specified http_method and uri_template. This typically + // includes the "api.operation" attribute. + Attributes *istio_mixer_v1.Attributes `protobuf:"bytes,1,opt,name=attributes" json:"attributes,omitempty"` + // Http request method to match against as defined by + // [rfc7231](https://tools.ietf.org/html/rfc7231#page-21). For + // example: GET, HEAD, POST, PUT, DELETE. + HttpMethod string `protobuf:"bytes,2,opt,name=http_method,json=httpMethod,proto3" json:"http_method,omitempty"` + // Types that are valid to be assigned to Pattern: + // *HttpGenericPattern_UriTemplate + // *HttpGenericPattern_Regex + Pattern isHttpGenericPattern_Pattern `protobuf_oneof:"pattern"` +} + +func (m *HttpGenericPattern) Reset() { *m = HttpGenericPattern{} } +func (*HttpGenericPattern) ProtoMessage() {} +func (*HttpGenericPattern) Descriptor() ([]byte, []int) { return fileDescriptorHttpGeneric, []int{1} } + +type isHttpGenericPattern_Pattern interface { + isHttpGenericPattern_Pattern() + MarshalTo([]byte) (int, error) + Size() int +} + +type HttpGenericPattern_UriTemplate struct { + UriTemplate string `protobuf:"bytes,3,opt,name=uri_template,json=uriTemplate,proto3,oneof"` +} +type HttpGenericPattern_Regex struct { + Regex string `protobuf:"bytes,4,opt,name=regex,proto3,oneof"` +} + +func (*HttpGenericPattern_UriTemplate) isHttpGenericPattern_Pattern() {} +func (*HttpGenericPattern_Regex) isHttpGenericPattern_Pattern() {} + +func (m *HttpGenericPattern) GetPattern() isHttpGenericPattern_Pattern { + if m != nil { + return m.Pattern + } + return nil +} + +func (m *HttpGenericPattern) GetUriTemplate() string { + if x, ok := m.GetPattern().(*HttpGenericPattern_UriTemplate); ok { + return x.UriTemplate + } + return "" +} + +func (m *HttpGenericPattern) GetRegex() string { + if x, ok := m.GetPattern().(*HttpGenericPattern_Regex); ok { + return x.Regex + } + return "" +} + +// XXX_OneofFuncs is for the internal use of the proto package. +func (*HttpGenericPattern) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) { + return _HttpGenericPattern_OneofMarshaler, _HttpGenericPattern_OneofUnmarshaler, _HttpGenericPattern_OneofSizer, []interface{}{ + (*HttpGenericPattern_UriTemplate)(nil), + (*HttpGenericPattern_Regex)(nil), + } +} + +func _HttpGenericPattern_OneofMarshaler(msg proto.Message, b *proto.Buffer) error { + m := msg.(*HttpGenericPattern) + // pattern + switch x := m.Pattern.(type) { + case *HttpGenericPattern_UriTemplate: + _ = b.EncodeVarint(3<<3 | proto.WireBytes) + _ = b.EncodeStringBytes(x.UriTemplate) + case *HttpGenericPattern_Regex: + _ = b.EncodeVarint(4<<3 | proto.WireBytes) + _ = b.EncodeStringBytes(x.Regex) + case nil: + default: + return fmt.Errorf("HttpGenericPattern.Pattern has unexpected type %T", x) + } + return nil +} + +func _HttpGenericPattern_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) { + m := msg.(*HttpGenericPattern) + switch tag { + case 3: // pattern.uri_template + if wire != proto.WireBytes { + return true, proto.ErrInternalBadWireType + } + x, err := b.DecodeStringBytes() + m.Pattern = &HttpGenericPattern_UriTemplate{x} + return true, err + case 4: // pattern.regex + if wire != proto.WireBytes { + return true, proto.ErrInternalBadWireType + } + x, err := b.DecodeStringBytes() + m.Pattern = &HttpGenericPattern_Regex{x} + return true, err + default: + return false, nil + } +} + +func _HttpGenericPattern_OneofSizer(msg proto.Message) (n int) { + m := msg.(*HttpGenericPattern) + // pattern + switch x := m.Pattern.(type) { + case *HttpGenericPattern_UriTemplate: + n += proto.SizeVarint(3<<3 | proto.WireBytes) + n += proto.SizeVarint(uint64(len(x.UriTemplate))) + n += len(x.UriTemplate) + case *HttpGenericPattern_Regex: + n += proto.SizeVarint(4<<3 | proto.WireBytes) + n += proto.SizeVarint(uint64(len(x.Regex))) + n += len(x.Regex) + case nil: + default: + panic(fmt.Sprintf("proto: unexpected type %T in oneof", x)) + } + return n +} + +func init() { + proto.RegisterType((*HttpGeneric)(nil), "istio.apis.v1alpha1.HttpGeneric") + proto.RegisterType((*HttpGenericPattern)(nil), "istio.apis.v1alpha1.HttpGenericPattern") +} +func (m *HttpGeneric) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *HttpGeneric) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if m.Attributes != nil { + dAtA[i] = 0xa + i++ + i = encodeVarintHttpGeneric(dAtA, i, uint64(m.Attributes.Size())) + n1, err := m.Attributes.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n1 + } + if len(m.Patterns) > 0 { + for _, msg := range m.Patterns { + dAtA[i] = 0x12 + i++ + i = encodeVarintHttpGeneric(dAtA, i, uint64(msg.Size())) + n, err := msg.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n + } + } + return i, nil +} + +func (m *HttpGenericPattern) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalTo(dAtA) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *HttpGenericPattern) MarshalTo(dAtA []byte) (int, error) { + var i int + _ = i + var l int + _ = l + if m.Attributes != nil { + dAtA[i] = 0xa + i++ + i = encodeVarintHttpGeneric(dAtA, i, uint64(m.Attributes.Size())) + n2, err := m.Attributes.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += n2 + } + if len(m.HttpMethod) > 0 { + dAtA[i] = 0x12 + i++ + i = encodeVarintHttpGeneric(dAtA, i, uint64(len(m.HttpMethod))) + i += copy(dAtA[i:], m.HttpMethod) + } + if m.Pattern != nil { + nn3, err := m.Pattern.MarshalTo(dAtA[i:]) + if err != nil { + return 0, err + } + i += nn3 + } + return i, nil +} + +func (m *HttpGenericPattern_UriTemplate) MarshalTo(dAtA []byte) (int, error) { + i := 0 + dAtA[i] = 0x1a + i++ + i = encodeVarintHttpGeneric(dAtA, i, uint64(len(m.UriTemplate))) + i += copy(dAtA[i:], m.UriTemplate) + return i, nil +} +func (m *HttpGenericPattern_Regex) MarshalTo(dAtA []byte) (int, error) { + i := 0 + dAtA[i] = 0x22 + i++ + i = encodeVarintHttpGeneric(dAtA, i, uint64(len(m.Regex))) + i += copy(dAtA[i:], m.Regex) + return i, nil +} +func encodeVarintHttpGeneric(dAtA []byte, offset int, v uint64) int { + for v >= 1<<7 { + dAtA[offset] = uint8(v&0x7f | 0x80) + v >>= 7 + offset++ + } + dAtA[offset] = uint8(v) + return offset + 1 +} +func (m *HttpGeneric) Size() (n int) { + var l int + _ = l + if m.Attributes != nil { + l = m.Attributes.Size() + n += 1 + l + sovHttpGeneric(uint64(l)) + } + if len(m.Patterns) > 0 { + for _, e := range m.Patterns { + l = e.Size() + n += 1 + l + sovHttpGeneric(uint64(l)) + } + } + return n +} + +func (m *HttpGenericPattern) Size() (n int) { + var l int + _ = l + if m.Attributes != nil { + l = m.Attributes.Size() + n += 1 + l + sovHttpGeneric(uint64(l)) + } + l = len(m.HttpMethod) + if l > 0 { + n += 1 + l + sovHttpGeneric(uint64(l)) + } + if m.Pattern != nil { + n += m.Pattern.Size() + } + return n +} + +func (m *HttpGenericPattern_UriTemplate) Size() (n int) { + var l int + _ = l + l = len(m.UriTemplate) + n += 1 + l + sovHttpGeneric(uint64(l)) + return n +} +func (m *HttpGenericPattern_Regex) Size() (n int) { + var l int + _ = l + l = len(m.Regex) + n += 1 + l + sovHttpGeneric(uint64(l)) + return n +} + +func sovHttpGeneric(x uint64) (n int) { + for { + n++ + x >>= 7 + if x == 0 { + break + } + } + return n +} +func sozHttpGeneric(x uint64) (n int) { + return sovHttpGeneric(uint64((x << 1) ^ uint64((int64(x) >> 63)))) +} +func (this *HttpGeneric) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&HttpGeneric{`, + `Attributes:` + strings.Replace(fmt.Sprintf("%v", this.Attributes), "Attributes", "istio_mixer_v1.Attributes", 1) + `,`, + `Patterns:` + strings.Replace(fmt.Sprintf("%v", this.Patterns), "HttpGenericPattern", "HttpGenericPattern", 1) + `,`, + `}`, + }, "") + return s +} +func (this *HttpGenericPattern) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&HttpGenericPattern{`, + `Attributes:` + strings.Replace(fmt.Sprintf("%v", this.Attributes), "Attributes", "istio_mixer_v1.Attributes", 1) + `,`, + `HttpMethod:` + fmt.Sprintf("%v", this.HttpMethod) + `,`, + `Pattern:` + fmt.Sprintf("%v", this.Pattern) + `,`, + `}`, + }, "") + return s +} +func (this *HttpGenericPattern_UriTemplate) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&HttpGenericPattern_UriTemplate{`, + `UriTemplate:` + fmt.Sprintf("%v", this.UriTemplate) + `,`, + `}`, + }, "") + return s +} +func (this *HttpGenericPattern_Regex) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&HttpGenericPattern_Regex{`, + `Regex:` + fmt.Sprintf("%v", this.Regex) + `,`, + `}`, + }, "") + return s +} +func valueToStringHttpGeneric(v interface{}) string { + rv := reflect.ValueOf(v) + if rv.IsNil() { + return "nil" + } + pv := reflect.Indirect(rv).Interface() + return fmt.Sprintf("*%v", pv) +} +func (m *HttpGeneric) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: HttpGeneric: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: HttpGeneric: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Attributes", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthHttpGeneric + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Attributes == nil { + m.Attributes = &istio_mixer_v1.Attributes{} + } + if err := m.Attributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Patterns", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthHttpGeneric + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Patterns = append(m.Patterns, &HttpGenericPattern{}) + if err := m.Patterns[len(m.Patterns)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipHttpGeneric(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthHttpGeneric + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *HttpGenericPattern) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: HttpGenericPattern: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: HttpGenericPattern: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Attributes", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthHttpGeneric + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Attributes == nil { + m.Attributes = &istio_mixer_v1.Attributes{} + } + if err := m.Attributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field HttpMethod", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthHttpGeneric + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.HttpMethod = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field UriTemplate", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthHttpGeneric + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Pattern = &HttpGenericPattern_UriTemplate{string(dAtA[iNdEx:postIndex])} + iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Regex", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthHttpGeneric + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Pattern = &HttpGenericPattern_Regex{string(dAtA[iNdEx:postIndex])} + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipHttpGeneric(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthHttpGeneric + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func skipHttpGeneric(dAtA []byte) (n int, err error) { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + wireType := int(wire & 0x7) + switch wireType { + case 0: + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + iNdEx++ + if dAtA[iNdEx-1] < 0x80 { + break + } + } + return iNdEx, nil + case 1: + iNdEx += 8 + return iNdEx, nil + case 2: + var length int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + length |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + iNdEx += length + if length < 0 { + return 0, ErrInvalidLengthHttpGeneric + } + return iNdEx, nil + case 3: + for { + var innerWire uint64 + var start int = iNdEx + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowHttpGeneric + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + innerWire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + innerWireType := int(innerWire & 0x7) + if innerWireType == 4 { + break + } + next, err := skipHttpGeneric(dAtA[start:]) + if err != nil { + return 0, err + } + iNdEx = start + next + } + return iNdEx, nil + case 4: + return iNdEx, nil + case 5: + iNdEx += 4 + return iNdEx, nil + default: + return 0, fmt.Errorf("proto: illegal wireType %d", wireType) + } + } + panic("unreachable") +} + +var ( + ErrInvalidLengthHttpGeneric = fmt.Errorf("proto: negative length found during unmarshaling") + ErrIntOverflowHttpGeneric = fmt.Errorf("proto: integer overflow") +) + +func init() { proto.RegisterFile("apis/v1alpha1/http_generic.proto", fileDescriptorHttpGeneric) } + +var fileDescriptorHttpGeneric = []byte{ + // 334 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x91, 0xbf, 0x4e, 0xf3, 0x30, + 0x14, 0xc5, 0xed, 0xf6, 0xfb, 0x57, 0xe7, 0x9b, 0x02, 0x42, 0x21, 0x83, 0x89, 0xca, 0x40, 0x27, + 0x47, 0x29, 0x1b, 0x1b, 0x65, 0xa0, 0x03, 0x48, 0x28, 0x62, 0x62, 0xa9, 0x5c, 0xb0, 0x52, 0x4b, + 0x6d, 0x6d, 0x39, 0xb7, 0x55, 0x47, 0x9e, 0x00, 0xf1, 0x18, 0xbc, 0x02, 0x6f, 0xd0, 0xb1, 0x23, + 0x23, 0x31, 0x0b, 0x63, 0x1f, 0x01, 0x25, 0x2e, 0xa5, 0x08, 0x36, 0x36, 0xfb, 0x9c, 0x9f, 0xef, + 0x3d, 0xbe, 0x97, 0x44, 0x5c, 0xcb, 0x3c, 0x9e, 0x26, 0x7c, 0xa8, 0x07, 0x3c, 0x89, 0x07, 0x00, + 0xba, 0x97, 0x89, 0xb1, 0x30, 0xf2, 0x9a, 0x69, 0xa3, 0x40, 0xf9, 0x5b, 0x32, 0x07, 0xa9, 0x58, + 0xc9, 0xb1, 0x77, 0x2e, 0xdc, 0xce, 0x54, 0xa6, 0x2a, 0x3f, 0x2e, 0x4f, 0x0e, 0x0d, 0x77, 0x47, + 0x72, 0x26, 0x4c, 0x3c, 0x4d, 0x62, 0x0e, 0x60, 0x64, 0x7f, 0x02, 0x22, 0x77, 0x56, 0xf3, 0x0e, + 0x13, 0xaf, 0x0b, 0xa0, 0x4f, 0x5d, 0x6d, 0xff, 0x88, 0x90, 0x0f, 0x26, 0xc0, 0x11, 0x6e, 0x79, + 0xed, 0x90, 0xb9, 0x56, 0x55, 0x15, 0x36, 0x4d, 0xd8, 0xf1, 0x9a, 0x48, 0x37, 0x68, 0xff, 0x84, + 0xfc, 0xd3, 0x1c, 0x40, 0x98, 0x71, 0x1e, 0xd4, 0xa2, 0x7a, 0xcb, 0x6b, 0x1f, 0xb0, 0x6f, 0x42, + 0xb2, 0x8d, 0x7e, 0x17, 0x8e, 0x4f, 0xd7, 0x0f, 0x9b, 0x8f, 0x98, 0xf8, 0x5f, 0x81, 0x1f, 0xe5, + 0xda, 0x23, 0x5e, 0x35, 0xbf, 0x91, 0x80, 0x81, 0xba, 0x09, 0x6a, 0x11, 0x6e, 0x35, 0x52, 0x52, + 0x4a, 0xe7, 0x95, 0xe2, 0xef, 0x93, 0xff, 0x13, 0x23, 0x7b, 0x20, 0x46, 0x7a, 0xc8, 0x41, 0x04, + 0xf5, 0x92, 0xe8, 0xa2, 0xd4, 0x9b, 0x18, 0x79, 0xb9, 0x12, 0xfd, 0x1d, 0xf2, 0xdb, 0x88, 0x4c, + 0xcc, 0x82, 0x5f, 0x2b, 0xd7, 0x5d, 0x3b, 0x0d, 0xf2, 0x77, 0x15, 0xbe, 0x73, 0x36, 0x2f, 0x28, + 0x5a, 0x14, 0x14, 0x3d, 0x15, 0x14, 0x2d, 0x0b, 0x8a, 0x6e, 0x2d, 0xc5, 0x0f, 0x96, 0xa2, 0xb9, + 0xa5, 0x78, 0x61, 0x29, 0x7e, 0xb6, 0x14, 0xbf, 0x5a, 0x8a, 0x96, 0x96, 0xe2, 0xfb, 0x17, 0x8a, + 0xae, 0x42, 0xf7, 0x03, 0xa9, 0x62, 0xae, 0x65, 0xfc, 0x69, 0xe7, 0xfd, 0x3f, 0xd5, 0x86, 0x0e, + 0xdf, 0x02, 0x00, 0x00, 0xff, 0xff, 0x01, 0x37, 0x09, 0xd4, 0x0b, 0x02, 0x00, 0x00, +} diff --git a/apis/v1alpha1/http_generic.proto b/apis/v1alpha1/http_generic.proto index 3e65ee38679..19c59eefbae 100644 --- a/apis/v1alpha1/http_generic.proto +++ b/apis/v1alpha1/http_generic.proto @@ -19,20 +19,18 @@ package istio.apis.v1alpha1; option go_package="istio.io/api/apis/v1alpha1"; import "gogoproto/gogo.proto"; - -// TODO - promote to a common type? -import "mixer/v1/attributes.proto"; +import "mixer/v1/attributes.proto"; // TODO - promote to a common type? // TODO - promote to a common type, or create a new type against the // same concept? -import "routing/v1alpha2/route_rule.proto"; +// import "routing/v1alpha2/route_rule.proto"; option (gogoproto.goproto_getters_all) = false; option (gogoproto.equal_all) = false; option (gogoproto.gostring_all) = false; -// HTTPAPISpec defines the canonical configuration for generating -// API-related attributes from HTTP requests based on the method and +// HttpAPISpec defines the canonical configuration for generating +// API-related attributes from Http requests based on the method and // uri templated path matches. It is sufficient for defining the API // surface of a service for the purposes of API attribute // generation. It is not intended to represent auth, quota, @@ -40,13 +38,13 @@ option (gogoproto.gostring_all) = false; // specifications, e.g. OpenAPI. // // Existing standards that define operations (or methods) in terms of -// HTTP methods and paths can be normalized to this format for use in +// Http methods and paths can be normalized to this format for use in // Istio. For example, a simple petstore API described by OpenAPIv2 // [here](https://github.com/googleapis/gnostic/blob/master/examples/v2.0/yaml/petstore-simple.yaml) -// can be represented with the following HTTPAPISpec. +// can be represented with the following HttpAPISpec. // // apiVersion: apis.istio.io/v1alpha1 -// kind: HTTPAPI +// kind: HttpAPI // metadata: // name: petstore // namespace: default @@ -73,20 +71,20 @@ option (gogoproto.gostring_all) = false; // httpMethod: DELETE // uriTemplate: /api/pets/{id} // -message HTTPGeneric { - // List of attributes that are generated when *any* of the HTTP +message HttpGeneric { + // List of attributes that are generated when *any* of the Http // patterns match. This list typically includes the "api.service" // and "api.version" attributes. - Attributes attributes = 1; + mixer.v1.Attributes attributes = 1; - // List of HTTP patterns to match. - repeated HTTPGenericPattern patterns = 2; + // List of Http patterns to match. + repeated HttpGenericPattern patterns = 2; } -// HTTPGenericPattern defines a single pattern to match against -// incoming HTTP requests. The per-pattern list of attributes is +// HttpGenericPattern defines a single pattern to match against +// incoming Http requests. The per-pattern list of attributes is // generated if both the http_method and uri_template match. In -// addition, the top-level list of attributes in the HTTPAPISpec is also +// addition, the top-level list of attributes in the HttpAPISpec is also // generated. // // pattern: @@ -95,13 +93,13 @@ message HTTPGeneric { // httpMethod: GET // uriTemplate: /foo/bar // -message HTTPGenericPattern { - // List of attributes that are generated if the HTTP request matches +message HttpGenericPattern { + // List of attributes that are generated if the Http request matches // the specified http_method and uri_template. This typically // includes the "api.operation" attribute. - Attributes attributes = 1; + mixer.v1.Attributes attributes = 1; - // HTTP request method to match against as defined by + // Http request method to match against as defined by // [rfc7231](https://tools.ietf.org/html/rfc7231#page-21). For // example: GET, HEAD, POST, PUT, DELETE. string http_method = 2; diff --git a/apis/v1alpha1/istio.apis.v1alpha1.pb.html b/apis/v1alpha1/istio.apis.v1alpha1.pb.html new file mode 100644 index 00000000000..38297fec892 --- /dev/null +++ b/apis/v1alpha1/istio.apis.v1alpha1.pb.html @@ -0,0 +1,571 @@ +--- +title: istio.apis.v1alpha1 +layout: protoc-gen-docs +number_of_entries: 11 +--- +

$title: APIs +$overview: Configuration for describing the API surface of services and edge load balancers (e.g. ingress). +$location: https://istio.io/docs/reference/config/istio.apis.v1alpha1.html

+ +

Destination

+
+

The intent of this message is to define a destination service +(name) that can be qualified by subset (labels) and port(s). This +is uses the same concepts defined by routing’s Destination, +DestinationRule, and Subset messages. I could have used those types +directly but they included things TrafficPolicy which isn’t +appropriate here. It also seemed unintuitive to require creating +DestinationRules to apply an API spec.

+ +

TODO - other policy (e.g. auth, quota) may want to use simlar +concepts. Should we introduce a common type for such a purpose and, +if so, where should it live?

+ + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
hoststring +

REQUIRED. The destination address for traffic captured by this routing +rule. Could be a DNS name with wildcard prefix or a CIDR +prefix. Depending on the platform, short-names can also be used +instead of a FQDN (i.e. has no dots in the name). In such a scenario, +the FQDN of the host would be derived based on the underlying +platform.

+ +
labelsmap<string,string> +

Labels defines a subset of endpoints of a service. Subsets can be +used for scenarios like A/B testing, or routing to a specific +version of a service.

+ +
portPortSelector +

Specifies the port on the destination. Many services only expose a +single port or label ports with the protocols they support, in these +cases it is not required to explicitly select the port. Note that +selection priority is to first match by name and then match by number.

+ +

Names must comply with DNS label syntax (rfc1035) and therefore cannot +collide with numbers. If there are multiple ports on a service with +the same protocol the names should be of the form -.

+ +
+
+

Grpc

+
+

A protobuf descriptor set for a gRPC service.

+ +

Protocol buffers do not contain descriptions of their own types and +services. However, the contents of a .proto file itself can be +represented using protocol buffers (see +google/protobuf/descriptor.proto). protoc +can output a FileDescriptorSet – which represents a set of .proto +files – using the –descriptorsetout option.

+ +

For example, the following generates the descriptor set from +bookstore.proto:

+ +
protoc -I. --include_imports --include_source_info \
+    --descriptor_set_out=proto.pb test/proto/bookstore.proto
+
+ +

proto2 and proto3 syntax are supported.

+ + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
sourceSchemaSource +

Source of the gRPC specification for the API. The inline +representation of the protobuf descriptor set should be base64 +encoded.

+ +
selectedServicesstring[] +

Select the set of services in the descriptor set that this grpc +definition references. A descriptor set may include multiple +service definitions, due to dependencies, but only a subset of +them are served by the specified backend.

+ +
+
+

HttpApi

+
+

API configuration for describing the API surface of a service, +subset of services, or edge proxies. These API descriptions are +used to generate API related attibutes and enable other API +management features, e.g. transcoding (when applicable), unify +discovery of API services within the mesh. Security definitions, +extensions, etc. are preserved but not used by Istio.

+ +

apiVersion: apis.istio.io/v1alpha1 + kind: HttpApi + metadata: + name: petstore + spec: + type: OpenApiv2 + schema: + source: + external: https://github.com/googleapis/gnostic/blob/master/examples/v2.0/yaml/petstore-simple.yaml + destinations: + - host: petstore.foo.svc + labels: + version: v1 + port: + 80

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
typestring +

The type of API schema that is stored in schema. Valid types +are “OpenApiv2”, “OpenApiv3”, “Grpc”, and “HttpGeneric”.

+ +
schemagoogle.protobuf.Struct +

Schema for the API. Valid schema types OpenApiv2, OpenApiv3, +Grpc, and HttpGeneric in the apis.istio.io/v1alpha1 apiversion.

+ +
destinationsDestination[] +

List of destination services that this API is bound +to. Destinations may be omitted if one or more gateways is +specified.

+ +
gatewaysstring[] +

The names of gateways that should apply these API specifications +as defined by routing.istio.io/v1alpha2/Gateway. Gateways may be +omitted if one or more destination services is specified.

+ +
normalizedHttpGeneric +

openapi v2/v3 and grpc are normalized to the generic form.

+ +
+
+

HttpGeneric

+
+

HttpAPISpec defines the canonical configuration for generating +API-related attributes from Http requests based on the method and +uri templated path matches. It is sufficient for defining the API +surface of a service for the purposes of API attribute +generation. It is not intended to represent auth, quota, +documentation, or other information commonly found in other API +specifications, e.g. OpenAPI.

+ +

Existing standards that define operations (or methods) in terms of +Http methods and paths can be normalized to this format for use in +Istio. For example, a simple petstore API described by OpenAPIv2 +here +can be represented with the following HttpAPISpec.

+ +
apiVersion: apis.istio.io/v1alpha1
+kind: HttpAPI
+metadata:
+  name: petstore
+  namespace: default
+spec:
+  generic:
+    attributes:
+      api.service: petstore.swagger.io
+      api.version: 1.0.0
+    patterns:
+    - attributes:
+        api.operation: findPets
+      httpMethod: GET
+      uriTemplate: /api/pets
+    - attributes:
+        api.operation: addPet
+      httpMethod: POST
+      uriTemplate: /api/pets
+    - attributes:
+        api.operation: findPetById
+      httpMethod: GET
+      uriTemplate: /api/pets/{id}
+    - attributes:
+        api.operation: deletePet
+      httpMethod: DELETE
+      uriTemplate: /api/pets/{id}
+
+ + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
attributesistio.mixer.v1.Attributes +

List of attributes that are generated when any of the Http +patterns match. This list typically includes the “api.service” +and “api.version” attributes.

+ +
patternsHttpGenericPattern[] +

List of Http patterns to match.

+ +
+
+

HttpGenericPattern

+
+

HttpGenericPattern defines a single pattern to match against +incoming Http requests. The per-pattern list of attributes is +generated if both the httpmethod and uritemplate match. In +addition, the top-level list of attributes in the HttpAPISpec is also +generated.

+ +
pattern:
+- attributes
+    api.operation: doFooBar
+  httpMethod: GET
+  uriTemplate: /foo/bar
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
attributesistio.mixer.v1.Attributes +

List of attributes that are generated if the Http request matches +the specified httpmethod and uritemplate. This typically +includes the “api.operation” attribute.

+ +
httpMethodstring +

Http request method to match against as defined by +rfc7231. For +example: GET, HEAD, POST, PUT, DELETE.

+ +
uriTemplatestring (oneof) +

URI template to match against as defined by +rfc6570. For example, the +following are valid URI templates:

+ +
/pets
+/pets/{id}
+/dictionary/{term:1}/{term}
+/search{?q*,lang}
+
+ +
regexstring (oneof) +

EXPERIMENTAL:

+ +

ecmascript style regex-based match as defined by +EDCA-262. For +example,

+ +
"^/pets/(.*?)?"
+
+ +
+
+

OpenApiv2

+
+

OpenAPI v2

+ + + + + + + + + + + + + + + + +
FieldTypeDescription
sourceSchemaSource +

Source of the OpenAPI v2 specification for the API. The inline +string representation should be UTF-8 encoded.

+ +
+
+

OpenApiv3

+
+

OpenAPI v3

+ + + + + + + + + + + + + + + + +
FieldTypeDescription
sourceSchemaSource +

Source of the OpenAPI v3 specification for the API. The inline +string representation should be UTF-8 encoded.

+ +
+
+

PortSelector

+
+

PortSelector specifies the name or number of a port to be used for +matching or selection for final routing.

+ + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
numberuint32 (oneof) +

Valid port number

+ +
namestring (oneof) +

Port name

+ +
+
+

SchemaSource

+
+

SchemeSource defines the source for an API schema.

+ + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
externalstring +

External URL reference to the source API schema. The reference is +expected to be immutable and valid for the lifetime of the +SchemeSource and encompassing API specification. Changing the +referenced spec after the reference is submitted is undefined +behavior.

+ +
inlineStringstring +

String inlined in the configuration. Binary data should be base64 +encoded.

+ +
+
+

google.protobuf.Struct

+
+

Struct represents a structured data value, consisting of fields +which map to dynamically typed values. In some languages, Struct +might be supported by a native representation. For example, in +scripting languages like JS a struct is represented as an +object. The details of that representation are described together +with the proto support for the language.

+ +

The JSON representation for Struct is JSON object.

+ + + + + + + + + + + + + + + + +
FieldTypeDescription
fieldsmap<string,google.protobuf.Value> +

Unordered map of dynamically typed values.

+ +
+
+

istio.mixer.v1.Attributes

+
+

Attributes represents a set of typed name/value pairs. Many of Mixer’s +API either consume and/or return attributes.

+ +

Istio uses attributes to control the runtime behavior of services running in the service mesh. +Attributes are named and typed pieces of metadata describing ingress and egress traffic and the +environment this traffic occurs in. An Istio attribute carries a specific piece +of information such as the error code of an API request, the latency of an API request, or the +original IP address of a TCP connection. For example:

+ +
request.path: xyz/abc
+request.size: 234
+request.time: 12:34:56.789 04/17/2017
+source.ip: 192.168.0.1
+target.service: example
+
+ +

A given Istio deployment has a fixed vocabulary of attributes that it understands. +The specific vocabulary is determined by the set of attribute producers being used +in the deployment. The primary attribute producer in Istio is Envoy, although +specialized Mixer adapters and services can also generate attributes.

+ +

The common baseline set of attributes available in most Istio deployments is defined +here.

+ +

Attributes are strongly typed. The supported attribute types are defined by +ValueType. +Each type of value is encoded into one of the so-called transport types present +in this message.

+ +

Defines a map of attributes in uncompressed format. +Following places may use this message: +1) Configure Istio/Proxy with static per-proxy attributes, such as source.uid. +2) Service IDL definition to extract api attributes for active requests. +3) Forward attributes from client proxy to server proxy for HTTP requests.

+ + + + + + + + + + + + + + + + +
FieldTypeDescription
attributesmap<string,istio.mixer.v1.Attributes.AttributeValue> +

A map of attribute name to its value.

+ +
+
From 23067af67764b66aaee7f72e77aa2c9f6000b56b Mon Sep 17 00:00:00 2001 From: Jason Young Date: Tue, 6 Feb 2018 16:13:03 -0800 Subject: [PATCH 04/15] add missing docs for mixerclient filter config (#353) --- mixer/v1/config/client/auth.pb.go | 5 ++++- mixer/v1/config/client/auth.proto | 3 +++ mixer/v1/config/client/client_config.pb.go | 2 ++ mixer/v1/config/client/client_config.proto | 2 ++ .../client/istio.mixer.v1.config.client.pb.html | 11 +++++++++++ mixer/v1/config/client/quota.pb.go | 2 ++ mixer/v1/config/client/quota.proto | 2 ++ 7 files changed, 26 insertions(+), 1 deletion(-) diff --git a/mixer/v1/config/client/auth.pb.go b/mixer/v1/config/client/auth.pb.go index 4010a81c259..1f2ddf32c5c 100644 --- a/mixer/v1/config/client/auth.pb.go +++ b/mixer/v1/config/client/auth.pb.go @@ -73,7 +73,8 @@ type JWT struct { // system wide default is applied if no duration is explicitly // specified. PublicKeyCacheDuration *google_protobuf1.Duration `protobuf:"bytes,5,opt,name=public_key_cache_duration,json=publicKeyCacheDuration" json:"public_key_cache_duration,omitempty"` - Locations []*JWT_Location `protobuf:"bytes,6,rep,name=locations" json:"locations,omitempty"` + // Zero or more locations to search for JWT in an HTTP request. + Locations []*JWT_Location `protobuf:"bytes,6,rep,name=locations" json:"locations,omitempty"` // This field is specific for Envoy proxy implementation. // It is the cluster name in the Envoy config for the jwks_uri. JwksUriEnvoyCluster string `protobuf:"bytes,7,opt,name=jwks_uri_envoy_cluster,json=jwksUriEnvoyCluster,proto3" json:"jwks_uri_envoy_cluster,omitempty"` @@ -242,6 +243,8 @@ func (*EndUserAuthenticationPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorAuth, []int{1} } +// EndUserAuthenticationPolicySpecReference identifies a +// EndUserAuthenticationPolicySpec that is bound to a set of services. type EndUserAuthenticationPolicySpecReference struct { // REQUIRED. The short name of the // EndUserAuthenticationPolicySpec. This is the resource name diff --git a/mixer/v1/config/client/auth.proto b/mixer/v1/config/client/auth.proto index ba4fad56ff3..550ad8974d3 100644 --- a/mixer/v1/config/client/auth.proto +++ b/mixer/v1/config/client/auth.proto @@ -114,6 +114,7 @@ message JWT { string query = 2; } } + // Zero or more locations to search for JWT in an HTTP request. repeated Location locations = 6; // This field is specific for Envoy proxy implementation. @@ -148,6 +149,8 @@ message EndUserAuthenticationPolicySpec { repeated JWT jwts = 2; } +// EndUserAuthenticationPolicySpecReference identifies a +// EndUserAuthenticationPolicySpec that is bound to a set of services. message EndUserAuthenticationPolicySpecReference { // REQUIRED. The short name of the // EndUserAuthenticationPolicySpec. This is the resource name diff --git a/mixer/v1/config/client/client_config.pb.go b/mixer/v1/config/client/client_config.pb.go index 68cdb50db49..f7aad50cab9 100644 --- a/mixer/v1/config/client/client_config.pb.go +++ b/mixer/v1/config/client/client_config.pb.go @@ -23,6 +23,8 @@ var _ = proto.Marshal var _ = fmt.Errorf var _ = math.Inf +// NetworkFailPolicy defines behavior when network connection +// failure occurs. type TransportConfig_NetworkFailPolicy int32 const ( diff --git a/mixer/v1/config/client/client_config.proto b/mixer/v1/config/client/client_config.proto index da43b782f01..4530e4f4d70 100644 --- a/mixer/v1/config/client/client_config.proto +++ b/mixer/v1/config/client/client_config.proto @@ -67,6 +67,8 @@ message TransportConfig { // The flag to disable report batch. bool disable_report_batch = 3; + // NetworkFailPolicy defines behavior when network connection + // failure occurs. enum NetworkFailPolicy { // If network fails, request is passed to the backend. FAIL_OPEN = 0; diff --git a/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html b/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html index 02ba599608c..0073fa11414 100644 --- a/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html +++ b/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html @@ -189,6 +189,9 @@

EndUserAuthenticationPolicySpecB

EndUserAuthenticationPolicySpecReference

+

EndUserAuthenticationPolicySpecReference identifies a +EndUserAuthenticationPolicySpec that is bound to a set of services.

+ @@ -702,6 +705,8 @@

JWT

@@ -893,6 +898,9 @@

QuotaSpecBinding

QuotaSpecBinding.QuotaSpecReference

+

QuotaSpecReference uniquely identifies the QuotaSpec used in the +Binding.

+
locations JWT.Location[] +

Zero or more locations to search for JWT in an HTTP request.

+
@@ -1187,6 +1195,9 @@

TransportConfig

TransportConfig.NetworkFailPolicy

+

NetworkFailPolicy defines behavior when network connection +failure occurs.

+
diff --git a/mixer/v1/config/client/quota.pb.go b/mixer/v1/config/client/quota.pb.go index e817b64addb..8574550c065 100644 --- a/mixer/v1/config/client/quota.pb.go +++ b/mixer/v1/config/client/quota.pb.go @@ -232,6 +232,8 @@ func (m *QuotaSpecBinding) Reset() { *m = QuotaSpecBinding{} func (*QuotaSpecBinding) ProtoMessage() {} func (*QuotaSpecBinding) Descriptor() ([]byte, []int) { return fileDescriptorQuota, []int{5} } +// QuotaSpecReference uniquely identifies the QuotaSpec used in the +// Binding. type QuotaSpecBinding_QuotaSpecReference struct { // REQUIRED. The short name of the QuotaSpec. This is the resource // name defined by the metadata name field. diff --git a/mixer/v1/config/client/quota.proto b/mixer/v1/config/client/quota.proto index 0f4a11a6d42..cff9c711ddc 100644 --- a/mixer/v1/config/client/quota.proto +++ b/mixer/v1/config/client/quota.proto @@ -123,6 +123,8 @@ message QuotaSpecBinding { // REQUIRED. One or more services to map the listed QuotaSpec onto. repeated IstioService services = 1; + // QuotaSpecReference uniquely identifies the QuotaSpec used in the + // Binding. message QuotaSpecReference { // REQUIRED. The short name of the QuotaSpec. This is the resource // name defined by the metadata name field. From 1ee468c7b25bed1f17e863b604a9e2d109626569 Mon Sep 17 00:00:00 2001 From: Martin Taillefer Date: Tue, 6 Feb 2018 19:44:07 -0800 Subject: [PATCH 05/15] Regenerate docs with latest generator tool. (#360) --- Gopkg.lock | 4 ++-- broker/dev/istio.broker.dev.pb.html | 2 -- mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 2 -- .../v1beta/istio.mixer.adapter.model.v1beta.pb.html | 2 -- .../client/istio.mixer.v1.config.client.pb.html | 12 +++++------- .../istio.mixer.v1.config.descriptor.pb.html | 2 -- mixer/v1/config/istio.mixer.v1.config.pb.html | 4 +--- mixer/v1/istio.mixer.v1.pb.html | 2 -- mixer/v1/template/istio.mixer.v1.template.pb.html | 2 -- rbac/v1alpha1/istio.rbac.v1alpha1.pb.html | 2 -- routing/v1alpha1/istio.routing.v1alpha1.pb.html | 2 -- routing/v1alpha2/istio.routing.v1alpha2.pb.html | 2 -- 12 files changed, 8 insertions(+), 30 deletions(-) diff --git a/Gopkg.lock b/Gopkg.lock index 23f12536117..cebc283276c 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -59,7 +59,7 @@ branch = "master" name = "github.com/istio/tools" packages = ["protoc-gen-docs"] - revision = "6e367b6e80075008a26f9f23cbd2bf4e51c5761d" + revision = "1e861aafb19104e025d5de4f3898f88f6f6b6534" [[projects]] branch = "master" @@ -106,7 +106,7 @@ branch = "master" name = "google.golang.org/genproto" packages = ["googleapis/rpc/status"] - revision = "4eb30f4778eed4c258ba66527a0d4f9ec8a36c45" + revision = "2b5a72b8730b0b16380010cfe5286c42108d88e7" [[projects]] name = "google.golang.org/grpc" diff --git a/broker/dev/istio.broker.dev.pb.html b/broker/dev/istio.broker.dev.pb.html index 501af79f650..17aaecec612 100644 --- a/broker/dev/istio.broker.dev.pb.html +++ b/broker/dev/istio.broker.dev.pb.html @@ -4,7 +4,5 @@ layout: protoc-gen-docs number_of_entries: 0 --- -{% raw %}

This package defines service broker configurations.

-{% endraw %} diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index 9f4cce7d681..75ae2c6a7d6 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -6,7 +6,6 @@ redirect_from: /docs/reference/config/service-mesh.html number_of_entries: 5 --- -{% raw %}

AuthenticationPolicy

AuthenticationPolicy defines authentication policy. It can be set for @@ -442,4 +441,3 @@

ProxyConfig

-{% endraw %} diff --git a/mixer/adapter/model/v1beta/istio.mixer.adapter.model.v1beta.pb.html b/mixer/adapter/model/v1beta/istio.mixer.adapter.model.v1beta.pb.html index 12cb5d67a1b..dcf7d50fb6e 100644 --- a/mixer/adapter/model/v1beta/istio.mixer.adapter.model.v1beta.pb.html +++ b/mixer/adapter/model/v1beta/istio.mixer.adapter.model.v1beta.pb.html @@ -5,7 +5,6 @@ layout: protoc-gen-docs number_of_entries: 9 --- -{% raw %}

This package defines the types that are used when creating Mixer templates. ValueType defined in this pacakge is also used by adapters to know the underlying datatype of the instance fields.

@@ -192,4 +191,3 @@

ValueType

-{% endraw %} diff --git a/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html b/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html index 0073fa11414..d10c2c1bbb6 100644 --- a/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html +++ b/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html @@ -5,7 +5,6 @@ layout: protoc-gen-docs number_of_entries: 24 --- -{% raw %}

APIKey

APIKey defines the explicit configuration for generating the @@ -261,11 +260,11 @@

HTTPAPISpec

- attributes: api.operation: findPetById httpMethod: GET - uriTemplate: /api/pets/{id} + uriTemplate: /api/pets/{id} - attributes: api.operation: deletePet httpMethod: DELETE - uriTemplate: /api/pets/{id} + uriTemplate: /api/pets/{id} api_keys: - query: api-key @@ -419,9 +418,9 @@

HTTPAPISpecPattern

following are valid URI templates:

/pets
-/pets/{id}
-/dictionary/{term:1}/{term}
-/search{?q*,lang}
+/pets/{id}
+/dictionary/{term:1}/{term}
+/search{?q*,lang}
@@ -1280,4 +1279,3 @@

istio.mixer.v1.Attributes

-{% endraw %} diff --git a/mixer/v1/config/descriptor/istio.mixer.v1.config.descriptor.pb.html b/mixer/v1/config/descriptor/istio.mixer.v1.config.descriptor.pb.html index 3bea696e13f..3a3f8afb09b 100644 --- a/mixer/v1/config/descriptor/istio.mixer.v1.config.descriptor.pb.html +++ b/mixer/v1/config/descriptor/istio.mixer.v1.config.descriptor.pb.html @@ -5,7 +5,6 @@ layout: protoc-gen-docs number_of_entries: 1 --- -{% raw %}

ValueType

ValueType describes the types that values in the Istio system can take. These @@ -108,4 +107,3 @@

ValueType

-{% endraw %} diff --git a/mixer/v1/config/istio.mixer.v1.config.pb.html b/mixer/v1/config/istio.mixer.v1.config.pb.html index 3600b6f9e2d..e52bc0519e1 100644 --- a/mixer/v1/config/istio.mixer.v1.config.pb.html +++ b/mixer/v1/config/istio.mixer.v1.config.pb.html @@ -6,7 +6,6 @@ redirect_from: /docs/reference/config/mixer/policy-and-telemetry-rules.html number_of_entries: 7 --- -{% raw %}

Action

Action describes which Handler to invoke and what data to pass to it for processing.

@@ -91,7 +90,7 @@

AttributeManifest

We map from attribute name to the attribute’s specification. The name of an attribute, which is how attributes are referred to in aspect configuration, must conform to:

-
Name = IDENT { SEPARATOR IDENT };
+
Name = IDENT { SEPARATOR IDENT };
 

 
 
Where IDENT must match the regular expression *a-z*+ and SEPARATOR must
@@ -380,4 +379,3 @@ 
google.protobuf.Struct
-{% endraw %} diff --git a/mixer/v1/istio.mixer.v1.pb.html b/mixer/v1/istio.mixer.v1.pb.html index b29e5cf2114..68264dfe444 100644 --- a/mixer/v1/istio.mixer.v1.pb.html +++ b/mixer/v1/istio.mixer.v1.pb.html @@ -6,7 +6,6 @@ redirect_from: /docs/reference/api/mixer/mixer.html number_of_entries: 17 --- -{% raw %}

This package defines the Mixer API that the sidecar proxy uses to perform precondition checks, manage quotas, and report telemetry.

@@ -848,4 +847,3 @@

Other uses

-{% endraw %} diff --git a/mixer/v1/template/istio.mixer.v1.template.pb.html b/mixer/v1/template/istio.mixer.v1.template.pb.html index a9244a5f6ad..e9ad08d35a2 100644 --- a/mixer/v1/template/istio.mixer.v1.template.pb.html +++ b/mixer/v1/template/istio.mixer.v1.template.pb.html @@ -5,7 +5,6 @@ layout: protoc-gen-docs number_of_entries: 8 --- -{% raw %}

This proto describes the types that can be used inside Mixer templates. These message types are used to specify field datatype to express the equivalent ValueType for the expressions the field can be mapped to.

@@ -82,4 +81,3 @@

Value

of the field depends on the datatype of the expression used in the operator configuration.

-{% endraw %} diff --git a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html b/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html index 3f3f555f5d0..bcefdc887e8 100644 --- a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html +++ b/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html @@ -5,7 +5,6 @@ layout: protoc-gen-docs number_of_entries: 6 --- -{% raw %}

Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding objects.

@@ -332,4 +331,3 @@

Subject

-{% endraw %} diff --git a/routing/v1alpha1/istio.routing.v1alpha1.pb.html b/routing/v1alpha1/istio.routing.v1alpha1.pb.html index 4c6e0beb187..1246332b587 100644 --- a/routing/v1alpha1/istio.routing.v1alpha1.pb.html +++ b/routing/v1alpha1/istio.routing.v1alpha1.pb.html @@ -6,7 +6,6 @@ redirect_from: /docs/reference/config/traffic-rules/routing-rules.html number_of_entries: 28 --- -{% raw %}

Configuration affecting traffic routing. Here are a few terms useful to define in the context of routing rules.

@@ -1831,4 +1830,3 @@

StringMatch

-{% endraw %} diff --git a/routing/v1alpha2/istio.routing.v1alpha2.pb.html b/routing/v1alpha2/istio.routing.v1alpha2.pb.html index 7f62e519d28..222f26e1063 100644 --- a/routing/v1alpha2/istio.routing.v1alpha2.pb.html +++ b/routing/v1alpha2/istio.routing.v1alpha2.pb.html @@ -4,7 +4,6 @@ layout: protoc-gen-docs number_of_entries: 37 --- -{% raw %}

Configuration affecting traffic routing. Here are a few terms useful to define in the context of routing rules.

@@ -2844,4 +2843,3 @@

TrafficPolicy

-{% endraw %} From 3c68bd6c813e48f0ed971e4307d51ac28610afb4 Mon Sep 17 00:00:00 2001 From: Diem Vu <25132401+diemtvu@users.noreply.github.com> Date: Tue, 6 Feb 2018 21:25:59 -0800 Subject: [PATCH 06/15] Add proto for authentication policy. (#361) --- Makefile | 25 +- .../istio.authentication.v1alpha1.pb.html | 428 +++++++++++++++++ authentication/v1alpha1/policy.pb.go | 436 ++++++++++++++++++ authentication/v1alpha1/policy.proto | 192 ++++++++ 4 files changed, 1079 insertions(+), 2 deletions(-) create mode 100644 authentication/v1alpha1/istio.authentication.v1alpha1.pb.html create mode 100644 authentication/v1alpha1/policy.pb.go create mode 100644 authentication/v1alpha1/policy.proto diff --git a/Makefile b/Makefile index d1b43f081fb..98be2036c43 100644 --- a/Makefile +++ b/Makefile @@ -145,7 +145,7 @@ depend: vendor binaries # Generation Rules ##################### -generate: generate-broker-go generate-mesh-go generate-mixer-go generate-routing-go generate-rbac-go +generate: generate-broker-go generate-mesh-go generate-mixer-go generate-routing-go generate-rbac-go generate-authn-go ##################### # broker/... @@ -301,6 +301,27 @@ clean-rbac-generated: rm -f $(rbac_v1alpha1_pb_gos) rm -f $(rbac_v1alpha1_pb_doc) + +##################### +# authentication/... +##################### + +authn_v1alpha1_path := authentication/v1alpha1 +authn_v1alpha1_protos := $(shell find $(authn_v1alpha1_path) -type f -name '*.proto' | sort) +authn_v1alpha1_pb_gos := $(authn_v1alpha1_protos:.proto=.pb.go) +authn_v1alpha1_pb_doc := $(authn_v1alpha1_path)/istio.authentication.v1alpha1.pb.html + +generate-authn-go: $(authn_v1alpha1_pb_gos) $(authn_v1alpha1_pb_doc) + +$(authn_v1alpha1_pb_gos) $(authn_v1alpha1_pb_doc): $(authn_v1alpha1_protos) | depend $(protoc_gen_go) $(protoc_bin) + ## Generate authentication/v1alpha1/*.pb.go + $(protoc) $(proto_path) $(protoc_gen_go_plugin) $(protoc_gen_docs_plugin)$(authn_v1alpha1_path) $^ + +clean-authn-generated: + rm -f $(authn_v1alpha1_pb_gos) + rm -f $(authn_v1alpha1_pb_doc) + + ##################### # apis/... ##################### @@ -329,4 +350,4 @@ clean: rm -rf genbin rm -rf vendor -clean-generated: clean-broker-generated clean-mesh-generated clean-mixer-generated clean-routing-generated clean-rbac-generated +clean-generated: clean-broker-generated clean-mesh-generated clean-mixer-generated clean-routing-generated clean-rbac-generated clean-authn-generated diff --git a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html new file mode 100644 index 00000000000..613d4e70a52 --- /dev/null +++ b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html @@ -0,0 +1,428 @@ +--- +title: Authentication Policy +overview: Authentication policy for Istio services. +layout: protoc-gen-docs +number_of_entries: 6 +--- +{% raw %} +

This package defines user-facing authentication policy as well as configs that +the sidecar proxy uses to perform authentication.

+ +

Jwt

+
+

JSON Web Token (JWT) token format for authentication as defined by +https://tools.ietf.org/html/rfc7519. See OAuth +2.0 and OIDC +1.0 for how this is used in the whole +authentication flow.

+ +

Example,

+ +
issuer: https://example.com
+audiences:
+- bookstore_android.apps.googleusercontent.com
+  bookstore_web.apps.googleusercontent.com
+jwksUri: https://example.com/.well-known/jwks.json
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
issuerstring +

Identifies the issuer that issued the JWT. See +issuer +Usually a URL or an email address.

+ +

Example: https://securetoken.google.com +Example: 1234567-compute@developer.gserviceaccount.com

+ +
audiencesstring[] +

The list of JWT +audiences. +that are allowed to access. A JWT containing any of these +audiences will be accepted.

+ +

The service name will be accepted if audiences is empty.

+ +

Example:

+ +
audiences:
+- bookstore_android.apps.googleusercontent.com
+  bookstore_web.apps.googleusercontent.com
+
+ +
jwksUristring +

URL of the provider’s public key set to validate signature of the +JWT. See OpenID +Discovery.

+ +

Optional if the key set document can either (a) be retrieved from +OpenID +Discovery of +the issuer or (b) inferred from the email domain of the issuer (e.g. a +Google service account).

+ +

Example: https://www.googleapis.com/oauth2/v1/certs

+ +
jwtHeadersstring[] +

JWT is sent in a request header. header represents the +header name.

+ +

For example, if header=x-goog-iap-jwt-assertion, the header +format will be x-goog-iap-jwt-assertion: .

+ +
jwtParamsstring[] +

JWT is sent in a query parameter. query represents the +query parameter name.

+ +

For example, query=jwt_token.

+ +
+
+

Mechanism

+
+

Mechanism defines one particular type of authentication, e.g +mutual TLS, JWT etc, (no authentication is one type by itsefl). +The type can be progammatically determine by checking the type of the +“params” field.

+ + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
noneNone (oneof) +

Set if authentication is not required.

+ +
mtlsMutualTls (oneof) +

Set if mTLS is used.

+ +
jwtJwt (oneof) +

Set if JWT is used.

+ +
+
+

MutualTls

+
+

Placeholder for mTLS authentication params.

+ +
+

None

+
+

Placeholder for None authentication params

+ +
+

Policy

+
+

Policy binds credentials to workload(s). +Authentication policy is composed of 2-part authentication: +- peer: verify caller service credentials. +- end_user: verify end-user credentials. +For each part, if it’s not empty, at least one of those listed credential +must be provided and (successfully) verified for the authentication to pass.

+ +

Examples: +Policy to enable mTLS for all services in namespace frod

+ +
apiVersion: authentication.istio.io/v1alpha1
+kind: Policy
+metadata:
+  name: mTLS-enable
+  namespace: frod
+spec:
+  match:
+  peers:
+  - mtls: {}
+
+ +

Policy to enable mTLS, and use JWT for productpage:9000

+ +
apiVersion: authentication.istio.io/v1alpha1
+kind: Policy
+metadata:
+  name: mTLS-enable
+  namespace: frod
+spec:
+  match:
+  - name: productpage
+    port:
+      number: 9000
+  peers:
+  - mtls:
+  endUsers:
+  - jwt:
+      issuer: "https://securetoken.google.com"
+      audiences:
+      - "productpage"
+      jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
+      locations:
+      - header: x-goog-iap-jwt-assertion
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
destinationsistio.routing.v1alpha2.Destination[] +

List of destinations (workloads) that the policy should be applied on. +If empty, policy will be used on all destinations in the same namespace.

+ +
peersMechanism[] +

List of credential that should be checked by peer authentication. They +will be validated in sequence, until the first one satisfied. If none of +the specified mechanism valid, the whole authentication should fail. +On the other hand, the first valid credential will be used to extract +peer identity (i.e the source.user attribute in the request to Mixer).

+ +
endUsersMechanism[] +

Similar to above, but for end_user authentication, which will extract +request.auth.principal/audiences/presenter if authentication succeed.

+ +
+
+

istio.routing.v1alpha2.Destination

+
+

Destination indicates the network addressable service to which the +request/connection will be sent after processing a routing rule. The +destination.name should unambiguously refer to a service in the service +registry. It can be a short name or a fully qualified domain name from +the service registry, a resolvable DNS name, an IP address or a service +name from the service registry and a subset name. The order of inference +is as follows:

+ +
    +

  1. Service registry lookup. The entire name is looked up in the service +registry. If the lookup succeeds, the search terminates. The requests +will be routed to any instance of the service in the mesh. When the +service name consists of a single word, the FQDN will be constructed in +a platform specific manner. For example, in Kubernetes, the namespace +associated with the routing rule will be used to identify the service as +.. However, if the service name contains +multiple words separated by a dot (e.g., reviews.prod), the name in its +entirety would be looked up in the service registry.

    2. + +

  2. Runtime DNS lookup by the proxy. If step 1 fails, and the name is not +an IP address, it will be considered as a DNS name that is not in the +service registry (e.g., wikipedia.org). The sidecar/gateway will resolve +the DNS and load balance requests appropriately. See Envoy’s strict_dns +for details.

    3. +
+ +

For example, the following rule routes all traffic by default to pods of +reviews service with label “version: v1” on a subset named v1, and some +to subset v2, in a kubernetes environment.

+ +
apiVersion: config.istio.io/v1alpha2
+kind: RouteRule
+metadata:
+  name: my-rule
+spec:
+  hosts:
+  - reviews # namespace is same as the client/caller's namespace
+  http:
+  - match:
+    - uri:
+        prefix: "/wpcatalog"
+    - uri:
+        prefix: "/consumercatalog"
+    rewrite:
+      uri: "/newcatalog"
+    route:
+    - destination:
+        name: reviews
+        subset: v2
+  - route:
+    - destination:
+        name: reviews
+        subset: v1
+
+ +

And the associated DestinationRule

+ +
apiVersion: config.istio.io/v1alpha2
+kind: DestinationRule
+metadata:
+  name: my-destination-rule
+spec:
+  name: reviews
+  subsets:
+  - name: v1
+    labels:
+      version: v1
+  - name: v2
+    labels:
+      version: v2
+
+ +

The following rule sets a timeout of 5s for all calls to +productpage.prod service. Notice that there are no subsets defined in +this rule. Istio will fetch all instances of productpage.prod service +from the service registry and populate the sidecar’s load balancing +pool.

+ +
apiVersion: config.istio.io/v1alpha2
+kind: RouteRule
+metadata:
+  name: my-productpage-rule
+spec:
+  hosts:
+  - productpage.prod # in kubernetes, this applies only to prod namespace
+  http:
+  - timeout: 5s
+    route:
+    - destination:
+        name: productpage.prod
+
+ +

The following rule sets a timeout of 5s for all calls to the external +service wikipedia.org, as there is no internal service of that name.

+ +
apiVersion: config.istio.io/v1alpha2
+kind: RouteRule
+metadata:
+  name: my-wiki-rule
+spec:
+  hosts:
+  - wikipedia.org
+  http:
+  - timeout: 5s
+    route:
+    - destination:
+        name: wikipedia.org
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
namestring +

REQUIRED. The name can be a short name or a fully qualified domain +name from the service registry, a resolvable DNS name, or an IP +address.

+ +

If short names are used, the FQDN of the service will be resolved in a +platform specific manner. For example in Kubernetes, when a rule with +a short name “reviews” in the destination is applied to a client in +the “bookinfo” namespace, the final destination is resolved to +reviews.bookinfo.svc.cluster.local. If the rule refers to the +destination as “reviews.sales”, the resolution process first looks for +a “reviews” service in the “sales” namespace. In both cases, the +sidecar will route to the IP addresses of the pods constituting the +service. However, if the lookup fails, “reviews.sales” is treated as +an external service, such that the sidecar will dynamically resolve +the DNS of the service name and route the request to the IP addresses +returned by the DNS.

+ +
subsetstring +

The name of a subset within the service. Applicable only to services +within the mesh. The subset must be defined in the corresponding +DestinationRule.

+ +
portistio.routing.v1alpha2.PortSelector +

Specifies the port on the destination. Many services only expose a +single port or label ports with the protocols they support, in these +cases it is not required to explicitly select the port. Note that +selection priority is to first match by name and then match by number.

+ +

Names must comply with DNS label syntax (rfc1035) and therefore cannot +collide with numbers. If there are multiple ports on a service with +the same protocol the names should be of the form -.

+ +
+
+{% endraw %} diff --git a/authentication/v1alpha1/policy.pb.go b/authentication/v1alpha1/policy.pb.go new file mode 100644 index 00000000000..9bc9cb3ce95 --- /dev/null +++ b/authentication/v1alpha1/policy.pb.go @@ -0,0 +1,436 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: authentication/v1alpha1/policy.proto + +/* +Package v1alpha1 is a generated protocol buffer package. + +This package defines user-facing authentication policy as well as configs that +the sidecar proxy uses to perform authentication. + +It is generated from these files: + authentication/v1alpha1/policy.proto + +It has these top-level messages: + None + MutualTls + Jwt + Mechanism + Policy +*/ +package v1alpha1 + +import proto "github.com/golang/protobuf/proto" +import fmt "fmt" +import math "math" +import istio_routing_v1alpha2 "istio.io/api/routing/v1alpha2" + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package + +// Placeholder for None authentication params +type None struct { +} + +func (m *None) Reset() { *m = None{} } +func (m *None) String() string { return proto.CompactTextString(m) } +func (*None) ProtoMessage() {} +func (*None) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } + +// Placeholder for mTLS authentication params. +type MutualTls struct { +} + +func (m *MutualTls) Reset() { *m = MutualTls{} } +func (m *MutualTls) String() string { return proto.CompactTextString(m) } +func (*MutualTls) ProtoMessage() {} +func (*MutualTls) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } + +// JSON Web Token (JWT) token format for authentication as defined by +// https://tools.ietf.org/html/rfc7519. See [OAuth +// 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC +// 1.0](http://openid.net/connect) for how this is used in the whole +// authentication flow. +// +// Example, +// +// ```yaml +// issuer: https://example.com +// audiences: +// - bookstore_android.apps.googleusercontent.com +// bookstore_web.apps.googleusercontent.com +// jwksUri: https://example.com/.well-known/jwks.json +// ``` +type Jwt struct { + // Identifies the issuer that issued the JWT. See + // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) + // Usually a URL or an email address. + // + // Example: https://securetoken.google.com + // Example: 1234567-compute@developer.gserviceaccount.com + Issuer string `protobuf:"bytes,1,opt,name=issuer" json:"issuer,omitempty"` + // The list of JWT + // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). + // that are allowed to access. A JWT containing any of these + // audiences will be accepted. + // + // The service name will be accepted if audiences is empty. + // + // Example: + // + // ```yaml + // audiences: + // - bookstore_android.apps.googleusercontent.com + // bookstore_web.apps.googleusercontent.com + // ``` + Audiences []string `protobuf:"bytes,2,rep,name=audiences" json:"audiences,omitempty"` + // URL of the provider's public key set to validate signature of the + // JWT. See [OpenID + // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). + // + // Optional if the key set document can either (a) be retrieved from + // [OpenID + // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of + // the issuer or (b) inferred from the email domain of the issuer (e.g. a + // Google service account). + // + // Example: https://www.googleapis.com/oauth2/v1/certs + JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri" json:"jwks_uri,omitempty"` + // JWT is sent in a request header. `header` represents the + // header name. + // + // For example, if `header=x-goog-iap-jwt-assertion`, the header + // format will be x-goog-iap-jwt-assertion: . + JwtHeaders []string `protobuf:"bytes,6,rep,name=jwt_headers,json=jwtHeaders" json:"jwt_headers,omitempty"` + // JWT is sent in a query parameter. `query` represents the + // query parameter name. + // + // For example, `query=jwt_token`. + JwtParams []string `protobuf:"bytes,7,rep,name=jwt_params,json=jwtParams" json:"jwt_params,omitempty"` +} + +func (m *Jwt) Reset() { *m = Jwt{} } +func (m *Jwt) String() string { return proto.CompactTextString(m) } +func (*Jwt) ProtoMessage() {} +func (*Jwt) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} } + +func (m *Jwt) GetIssuer() string { + if m != nil { + return m.Issuer + } + return "" +} + +func (m *Jwt) GetAudiences() []string { + if m != nil { + return m.Audiences + } + return nil +} + +func (m *Jwt) GetJwksUri() string { + if m != nil { + return m.JwksUri + } + return "" +} + +func (m *Jwt) GetJwtHeaders() []string { + if m != nil { + return m.JwtHeaders + } + return nil +} + +func (m *Jwt) GetJwtParams() []string { + if m != nil { + return m.JwtParams + } + return nil +} + +// Mechanism defines one particular type of authentication, e.g +// mutual TLS, JWT etc, (no authentication is one type by itsefl). +// The type can be progammatically determine by checking the type of the +// "params" field. +type Mechanism struct { + // Types that are valid to be assigned to Params: + // *Mechanism_None + // *Mechanism_Mtls + // *Mechanism_Jwt + Params isMechanism_Params `protobuf_oneof:"params"` +} + +func (m *Mechanism) Reset() { *m = Mechanism{} } +func (m *Mechanism) String() string { return proto.CompactTextString(m) } +func (*Mechanism) ProtoMessage() {} +func (*Mechanism) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} } + +type isMechanism_Params interface{ isMechanism_Params() } + +type Mechanism_None struct { + None *None `protobuf:"bytes,1,opt,name=none,oneof"` +} +type Mechanism_Mtls struct { + Mtls *MutualTls `protobuf:"bytes,2,opt,name=mtls,oneof"` +} +type Mechanism_Jwt struct { + Jwt *Jwt `protobuf:"bytes,3,opt,name=jwt,oneof"` +} + +func (*Mechanism_None) isMechanism_Params() {} +func (*Mechanism_Mtls) isMechanism_Params() {} +func (*Mechanism_Jwt) isMechanism_Params() {} + +func (m *Mechanism) GetParams() isMechanism_Params { + if m != nil { + return m.Params + } + return nil +} + +func (m *Mechanism) GetNone() *None { + if x, ok := m.GetParams().(*Mechanism_None); ok { + return x.None + } + return nil +} + +func (m *Mechanism) GetMtls() *MutualTls { + if x, ok := m.GetParams().(*Mechanism_Mtls); ok { + return x.Mtls + } + return nil +} + +func (m *Mechanism) GetJwt() *Jwt { + if x, ok := m.GetParams().(*Mechanism_Jwt); ok { + return x.Jwt + } + return nil +} + +// XXX_OneofFuncs is for the internal use of the proto package. +func (*Mechanism) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) { + return _Mechanism_OneofMarshaler, _Mechanism_OneofUnmarshaler, _Mechanism_OneofSizer, []interface{}{ + (*Mechanism_None)(nil), + (*Mechanism_Mtls)(nil), + (*Mechanism_Jwt)(nil), + } +} + +func _Mechanism_OneofMarshaler(msg proto.Message, b *proto.Buffer) error { + m := msg.(*Mechanism) + // params + switch x := m.Params.(type) { + case *Mechanism_None: + b.EncodeVarint(1<<3 | proto.WireBytes) + if err := b.EncodeMessage(x.None); err != nil { + return err + } + case *Mechanism_Mtls: + b.EncodeVarint(2<<3 | proto.WireBytes) + if err := b.EncodeMessage(x.Mtls); err != nil { + return err + } + case *Mechanism_Jwt: + b.EncodeVarint(3<<3 | proto.WireBytes) + if err := b.EncodeMessage(x.Jwt); err != nil { + return err + } + case nil: + default: + return fmt.Errorf("Mechanism.Params has unexpected type %T", x) + } + return nil +} + +func _Mechanism_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) { + m := msg.(*Mechanism) + switch tag { + case 1: // params.none + if wire != proto.WireBytes { + return true, proto.ErrInternalBadWireType + } + msg := new(None) + err := b.DecodeMessage(msg) + m.Params = &Mechanism_None{msg} + return true, err + case 2: // params.mtls + if wire != proto.WireBytes { + return true, proto.ErrInternalBadWireType + } + msg := new(MutualTls) + err := b.DecodeMessage(msg) + m.Params = &Mechanism_Mtls{msg} + return true, err + case 3: // params.jwt + if wire != proto.WireBytes { + return true, proto.ErrInternalBadWireType + } + msg := new(Jwt) + err := b.DecodeMessage(msg) + m.Params = &Mechanism_Jwt{msg} + return true, err + default: + return false, nil + } +} + +func _Mechanism_OneofSizer(msg proto.Message) (n int) { + m := msg.(*Mechanism) + // params + switch x := m.Params.(type) { + case *Mechanism_None: + s := proto.Size(x.None) + n += proto.SizeVarint(1<<3 | proto.WireBytes) + n += proto.SizeVarint(uint64(s)) + n += s + case *Mechanism_Mtls: + s := proto.Size(x.Mtls) + n += proto.SizeVarint(2<<3 | proto.WireBytes) + n += proto.SizeVarint(uint64(s)) + n += s + case *Mechanism_Jwt: + s := proto.Size(x.Jwt) + n += proto.SizeVarint(3<<3 | proto.WireBytes) + n += proto.SizeVarint(uint64(s)) + n += s + case nil: + default: + panic(fmt.Sprintf("proto: unexpected type %T in oneof", x)) + } + return n +} + +// Policy binds credentials to workload(s). +// Authentication policy is composed of 2-part authentication: +// - peer: verify caller service credentials. +// - end_user: verify end-user credentials. +// For each part, if it's not empty, at least one of those listed credential +// must be provided and (successfully) verified for the authentication to pass. +// +// Examples: +// Policy to enable mTLS for all services in namespace frod +// +// ```yaml +// apiVersion: authentication.istio.io/v1alpha1 +// kind: Policy +// metadata: +// name: mTLS-enable +// namespace: frod +// spec: +// match: +// peers: +// - mtls: {} +// ``` +// Policy to enable mTLS, and use JWT for productpage:9000 +// +// ```yaml +// apiVersion: authentication.istio.io/v1alpha1 +// kind: Policy +// metadata: +// name: mTLS-enable +// namespace: frod +// spec: +// match: +// - name: productpage +// port: +// number: 9000 +// peers: +// - mtls: +// endUsers: +// - jwt: +// issuer: "https://securetoken.google.com" +// audiences: +// - "productpage" +// jwksUri: "https://www.googleapis.com/oauth2/v1/certs" +// locations: +// - header: x-goog-iap-jwt-assertion +// ``` +type Policy struct { + // List of destinations (workloads) that the policy should be applied on. + // If empty, policy will be used on all destinations in the same namespace. + Destinations []*istio_routing_v1alpha2.Destination `protobuf:"bytes,1,rep,name=destinations" json:"destinations,omitempty"` + // List of credential that should be checked by peer authentication. They + // will be validated in sequence, until the first one satisfied. If none of + // the specified mechanism valid, the whole authentication should fail. + // On the other hand, the first valid credential will be used to extract + // peer identity (i.e the source.user attribute in the request to Mixer). + Peers []*Mechanism `protobuf:"bytes,2,rep,name=peers" json:"peers,omitempty"` + // Similar to above, but for end_user authentication, which will extract + // request.auth.principal/audiences/presenter if authentication succeed. + EndUsers []*Mechanism `protobuf:"bytes,3,rep,name=end_users,json=endUsers" json:"end_users,omitempty"` +} + +func (m *Policy) Reset() { *m = Policy{} } +func (m *Policy) String() string { return proto.CompactTextString(m) } +func (*Policy) ProtoMessage() {} +func (*Policy) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} } + +func (m *Policy) GetDestinations() []*istio_routing_v1alpha2.Destination { + if m != nil { + return m.Destinations + } + return nil +} + +func (m *Policy) GetPeers() []*Mechanism { + if m != nil { + return m.Peers + } + return nil +} + +func (m *Policy) GetEndUsers() []*Mechanism { + if m != nil { + return m.EndUsers + } + return nil +} + +func init() { + proto.RegisterType((*None)(nil), "istio.authentication.v1alpha1.None") + proto.RegisterType((*MutualTls)(nil), "istio.authentication.v1alpha1.MutualTls") + proto.RegisterType((*Jwt)(nil), "istio.authentication.v1alpha1.Jwt") + proto.RegisterType((*Mechanism)(nil), "istio.authentication.v1alpha1.Mechanism") + proto.RegisterType((*Policy)(nil), "istio.authentication.v1alpha1.Policy") +} + +func init() { proto.RegisterFile("authentication/v1alpha1/policy.proto", fileDescriptor0) } + +var fileDescriptor0 = []byte{ + // 398 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x92, 0xcf, 0xca, 0xd3, 0x40, + 0x14, 0xc5, 0xbf, 0x34, 0x35, 0x6d, 0x6e, 0x5c, 0xcd, 0x42, 0xa2, 0x58, 0xac, 0xb1, 0x48, 0x57, + 0x09, 0x8d, 0x20, 0xb8, 0xe9, 0xa2, 0x28, 0x96, 0x42, 0xa5, 0x04, 0xbb, 0x71, 0x13, 0xc6, 0x64, + 0x30, 0x13, 0xd3, 0x99, 0x30, 0x7f, 0x0c, 0xbe, 0x88, 0xcf, 0xe4, 0x23, 0xf8, 0x38, 0x32, 0x93, + 0xc6, 0xda, 0x85, 0x96, 0x6f, 0x79, 0x0f, 0xf7, 0x77, 0x98, 0x73, 0xe6, 0xc2, 0x02, 0x6b, 0x55, + 0x11, 0xa6, 0x68, 0x81, 0x15, 0xe5, 0x2c, 0xf9, 0xb6, 0xc2, 0x4d, 0x5b, 0xe1, 0x55, 0xd2, 0xf2, + 0x86, 0x16, 0xdf, 0xe3, 0x56, 0x70, 0xc5, 0xd1, 0x8c, 0x4a, 0x45, 0x79, 0x7c, 0xbd, 0x1b, 0x0f, + 0xbb, 0x4f, 0x9e, 0x0b, 0xae, 0x15, 0x65, 0x5f, 0x06, 0x3a, 0x4d, 0x8c, 0x40, 0x72, 0xa1, 0x1b, + 0xd2, 0x3b, 0x44, 0x1e, 0x8c, 0x3f, 0x70, 0x46, 0xa2, 0x00, 0xfc, 0xbd, 0x56, 0x1a, 0x37, 0x1f, + 0x1b, 0x19, 0xfd, 0x70, 0xc0, 0xdd, 0x75, 0x0a, 0x3d, 0x02, 0x8f, 0x4a, 0xa9, 0x89, 0x08, 0x9d, + 0xb9, 0xb3, 0xf4, 0xb3, 0xf3, 0x84, 0x9e, 0x82, 0x8f, 0x75, 0x49, 0x09, 0x2b, 0x88, 0x0c, 0x47, + 0x73, 0x77, 0xe9, 0x67, 0x17, 0x01, 0x3d, 0x86, 0x69, 0xdd, 0x7d, 0x95, 0xb9, 0x16, 0x34, 0x74, + 0x2d, 0x37, 0x31, 0xf3, 0x51, 0x50, 0xf4, 0x0c, 0x82, 0xba, 0x53, 0x79, 0x45, 0x70, 0x49, 0x84, + 0x0c, 0x3d, 0x8b, 0x42, 0xdd, 0xa9, 0x6d, 0xaf, 0xa0, 0x19, 0x98, 0x29, 0x6f, 0xb1, 0xc0, 0x27, + 0x19, 0x4e, 0x7a, 0xeb, 0xba, 0x53, 0x07, 0x2b, 0x44, 0x3f, 0x1d, 0xf0, 0xf7, 0xa4, 0xa8, 0x30, + 0xa3, 0xf2, 0x84, 0xde, 0xc0, 0x98, 0x71, 0x46, 0xec, 0xe3, 0x82, 0xf4, 0x45, 0xfc, 0xdf, 0x32, + 0x62, 0x13, 0x73, 0x7b, 0x97, 0x59, 0x04, 0xad, 0x61, 0x7c, 0x52, 0x8d, 0x79, 0xbc, 0x41, 0x97, + 0x37, 0xd0, 0x3f, 0xcd, 0x18, 0xde, 0x70, 0xe8, 0x35, 0xb8, 0x75, 0xa7, 0x6c, 0xbc, 0x20, 0x8d, + 0x6e, 0xe0, 0xbb, 0x4e, 0x6d, 0xef, 0x32, 0x03, 0x6c, 0xa6, 0xe0, 0xf5, 0xd9, 0xa2, 0x5f, 0x0e, + 0x78, 0x07, 0xfb, 0x97, 0xe8, 0x3d, 0x3c, 0x2c, 0x89, 0x54, 0x94, 0x59, 0x4e, 0x86, 0xce, 0xdc, + 0xfd, 0x2b, 0xcf, 0xf9, 0x0f, 0x07, 0xbb, 0x34, 0x7e, 0x7b, 0xd9, 0xcd, 0xae, 0x40, 0xb4, 0x86, + 0x07, 0x2d, 0x31, 0xc5, 0x8e, 0xac, 0xc3, 0xcd, 0x58, 0x43, 0x93, 0x59, 0x8f, 0xa1, 0x77, 0xe0, + 0x13, 0x56, 0xe6, 0x5a, 0x1a, 0x0f, 0xf7, 0x9e, 0x1e, 0x53, 0xc2, 0xca, 0xa3, 0x21, 0x37, 0x2f, + 0x3f, 0x2d, 0x7a, 0x88, 0xf2, 0x04, 0xb7, 0x34, 0xf9, 0xc7, 0x29, 0x7f, 0xf6, 0xec, 0x09, 0xbe, + 0xfa, 0x1d, 0x00, 0x00, 0xff, 0xff, 0x4d, 0x5c, 0x9c, 0xa1, 0xec, 0x02, 0x00, 0x00, +} diff --git a/authentication/v1alpha1/policy.proto b/authentication/v1alpha1/policy.proto new file mode 100644 index 00000000000..86c85353e62 --- /dev/null +++ b/authentication/v1alpha1/policy.proto @@ -0,0 +1,192 @@ +// Copyright 2018 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +import "routing/v1alpha2/route_rule.proto"; + +// $title: Authentication Policy +// $overview: Authentication policy for Istio services. + +// This package defines user-facing authentication policy as well as configs that +// the sidecar proxy uses to perform authentication. +package istio.authentication.v1alpha1; + +option go_package = "istio.io/api/authentication/v1alpha1"; + +// Placeholder for None authentication params +message None { +} + +// Placeholder for mTLS authentication params. +message MutualTls { +} + +// JSON Web Token (JWT) token format for authentication as defined by +// https://tools.ietf.org/html/rfc7519. See [OAuth +// 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC +// 1.0](http://openid.net/connect) for how this is used in the whole +// authentication flow. +// +// Example, +// +// ```yaml +// issuer: https://example.com +// audiences: +// - bookstore_android.apps.googleusercontent.com +// bookstore_web.apps.googleusercontent.com +// jwksUri: https://example.com/.well-known/jwks.json +// ``` +message Jwt { + // Identifies the issuer that issued the JWT. See + // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) + // Usually a URL or an email address. + // + // Example: https://securetoken.google.com + // Example: 1234567-compute@developer.gserviceaccount.com + string issuer = 1; + + // The list of JWT + // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). + // that are allowed to access. A JWT containing any of these + // audiences will be accepted. + // + // The service name will be accepted if audiences is empty. + // + // Example: + // + // ```yaml + // audiences: + // - bookstore_android.apps.googleusercontent.com + // bookstore_web.apps.googleusercontent.com + // ``` + repeated string audiences = 2; + + // URL of the provider's public key set to validate signature of the + // JWT. See [OpenID + // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). + // + // Optional if the key set document can either (a) be retrieved from + // [OpenID + // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of + // the issuer or (b) inferred from the email domain of the issuer (e.g. a + // Google service account). + // + // Example: https://www.googleapis.com/oauth2/v1/certs + string jwks_uri = 3; + + // Two fields below define where to extract the JWT from an HTTP request. + // + // If no explicit location is specified the following default + // locations are tried in order: + // + // 1) The Authorization header using the Bearer schema, + // e.g. Authorization: Bearer . (see + // [Authorization Request Header Field](https://tools.ietf.org/html/rfc6750#section-2.1)) + // + // 2) `access_token` query parameter (see + // [URI Query Parameter](https://tools.ietf.org/html/rfc6750#section-2.3)) + + // JWT is sent in a request header. `header` represents the + // header name. + // + // For example, if `header=x-goog-iap-jwt-assertion`, the header + // format will be x-goog-iap-jwt-assertion: . + repeated string jwt_headers = 6; + + // JWT is sent in a query parameter. `query` represents the + // query parameter name. + // + // For example, `query=jwt_token`. + repeated string jwt_params = 7; +} + +// Mechanism defines one particular type of authentication, e.g +// mutual TLS, JWT etc, (no authentication is one type by itsefl). +// The type can be progammatically determine by checking the type of the +// "params" field. +message Mechanism { + oneof params { + // Set if authentication is not required. + None none = 1; + + // Set if mTLS is used. + MutualTls mtls = 2; + + // Set if JWT is used. + Jwt jwt = 3; + } +} + +// Policy binds credentials to workload(s). +// Authentication policy is composed of 2-part authentication: +// - peer: verify caller service credentials. +// - end_user: verify end-user credentials. +// For each part, if it's not empty, at least one of those listed credential +// must be provided and (successfully) verified for the authentication to pass. +// +// Examples: +// Policy to enable mTLS for all services in namespace frod +// +// ```yaml +// apiVersion: authentication.istio.io/v1alpha1 +// kind: Policy +// metadata: +// name: mTLS-enable +// namespace: frod +// spec: +// match: +// peers: +// - mtls: {} +// ``` +// Policy to enable mTLS, and use JWT for productpage:9000 +// +// ```yaml +// apiVersion: authentication.istio.io/v1alpha1 +// kind: Policy +// metadata: +// name: mTLS-enable +// namespace: frod +// spec: +// match: +// - name: productpage +// port: +// number: 9000 +// peers: +// - mtls: +// endUsers: +// - jwt: +// issuer: "https://securetoken.google.com" +// audiences: +// - "productpage" +// jwksUri: "https://www.googleapis.com/oauth2/v1/certs" +// locations: +// - header: x-goog-iap-jwt-assertion +// ``` +message Policy { + // List of destinations (workloads) that the policy should be applied on. + // If empty, policy will be used on all destinations in the same namespace. + repeated istio.routing.v1alpha2.Destination destinations = 1; + + // List of credential that should be checked by peer authentication. They + // will be validated in sequence, until the first one satisfied. If none of + // the specified mechanism valid, the whole authentication should fail. + // On the other hand, the first valid credential will be used to extract + // peer identity (i.e the source.user attribute in the request to Mixer). + repeated Mechanism peers = 2; + + // Similar to above, but for end_user authentication, which will extract + // request.auth.principal/audiences/presenter if authentication succeed. + repeated Mechanism end_users = 3; +} From fb7f742aa990ec1c6b315de1c806da925336ef62 Mon Sep 17 00:00:00 2001 From: Shriram Rajagopalan Date: Thu, 8 Feb 2018 15:31:39 -0500 Subject: [PATCH 07/15] separate check and report clusters (#362) * separate check and report clusters * fix * nits * nit * backward compat --- mesh/v1alpha1/config.pb.go | 163 ++++++++++++---------- mesh/v1alpha1/config.proto | 32 +++-- mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 37 +++-- 3 files changed, 143 insertions(+), 89 deletions(-) diff --git a/mesh/v1alpha1/config.pb.go b/mesh/v1alpha1/config.pb.go index 291c818adb6..6113a1f6efc 100644 --- a/mesh/v1alpha1/config.pb.go +++ b/mesh/v1alpha1/config.pb.go @@ -302,13 +302,23 @@ func (m *ProxyConfig) GetConcurrency() int32 { // MeshConfig defines mesh-wide variables shared by all Envoy instances in the // Istio service mesh. type MeshConfig struct { - // Address of the egress Envoy service (e.g. _istio-egress:80_). - EgressProxyAddress string `protobuf:"bytes,1,opt,name=egress_proxy_address,json=egressProxyAddress" json:"egress_proxy_address,omitempty"` - // Address of the mixer service (e.g. _istio-mixer:15004_). - // Empty value disables Mixer checks and telemetry. - MixerAddress string `protobuf:"bytes,2,opt,name=mixer_address,json=mixerAddress" json:"mixer_address,omitempty"` - // Disable policy checks by the mixer service. Metrics will still be - // reported to the mixer for HTTP requests and TCP connections. Default + // Address of the server that will be used by the proxies for policy + // check calls (e.g. _istio-mixer:15004_). By using different names for + // mixerCheckServer and mixerReportServer, it is possible to have one set + // of mixer servers handle policy check calls, while another set of mixer + // servers handle telemetry calls. + // + // NOTE: Omitting mixerCheckServer while specifying mixerReportServer is + // equivalent to setting disablePolicyChecks to true. + MixerCheckServer string `protobuf:"bytes,1,opt,name=mixer_check_server,json=mixerCheckServer" json:"mixer_check_server,omitempty"` + // Address of the server that will be used by the proxies as an Istio + // telemetry sink (access logs, API/connection metrics) + // (e.g. _istio-mixer:15004_). By using different names for + // mixerCheckServer and mixerReportServer, it is possible to have one set + // of mixer servers handle policy check calls, while another set of mixer + // servers handle telemetry calls. + MixerReportServer string `protobuf:"bytes,2,opt,name=mixer_report_server,json=mixerReportServer" json:"mixer_report_server,omitempty"` + // Disable policy checks by the mixer service. Default // is false, i.e. mixer policy check is enabled by default. DisablePolicyChecks bool `protobuf:"varint,3,opt,name=disable_policy_checks,json=disablePolicyChecks" json:"disable_policy_checks,omitempty"` // Port on which Envoy should listen for incoming connections from @@ -351,6 +361,9 @@ type MeshConfig struct { // DO NOT use this setting for services that are managed by Istio (i.e. using Istio sidecar). // Instead, use service-level annotations to overwrite the authentication policy. MtlsExcludedServices []string `protobuf:"bytes,15,rep,name=mtls_excluded_services,json=mtlsExcludedServices" json:"mtls_excluded_services,omitempty"` + // DEPRECATED. Mixer address. This option will be removed soon. Please + // use mixer_check_server and mixer_report_server. + MixerAddress string `protobuf:"bytes,16,opt,name=mixer_address,json=mixerAddress" json:"mixer_address,omitempty"` } func (m *MeshConfig) Reset() { *m = MeshConfig{} } @@ -358,16 +371,16 @@ func (m *MeshConfig) String() string { return proto.CompactTextString func (*MeshConfig) ProtoMessage() {} func (*MeshConfig) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } -func (m *MeshConfig) GetEgressProxyAddress() string { +func (m *MeshConfig) GetMixerCheckServer() string { if m != nil { - return m.EgressProxyAddress + return m.MixerCheckServer } return "" } -func (m *MeshConfig) GetMixerAddress() string { +func (m *MeshConfig) GetMixerReportServer() string { if m != nil { - return m.MixerAddress + return m.MixerReportServer } return "" } @@ -463,6 +476,13 @@ func (m *MeshConfig) GetMtlsExcludedServices() []string { return nil } +func (m *MeshConfig) GetMixerAddress() string { + if m != nil { + return m.MixerAddress + } + return "" +} + func init() { proto.RegisterType((*ProxyConfig)(nil), "istio.mesh.v1alpha1.ProxyConfig") proto.RegisterType((*MeshConfig)(nil), "istio.mesh.v1alpha1.MeshConfig") @@ -474,64 +494,65 @@ func init() { func init() { proto.RegisterFile("mesh/v1alpha1/config.proto", fileDescriptor0) } var fileDescriptor0 = []byte{ - // 941 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x55, 0x4d, 0x6f, 0xe3, 0x36, - 0x13, 0x5e, 0xe7, 0xcb, 0xc9, 0x38, 0x96, 0x1d, 0x6d, 0x92, 0xd5, 0x06, 0x2f, 0xde, 0x1a, 0x59, - 0x74, 0xeb, 0xa6, 0x85, 0xdd, 0x4d, 0xdb, 0x43, 0x2f, 0x45, 0xf3, 0xd9, 0x0d, 0xe0, 0x24, 0xae, - 0xe2, 0x5c, 0xf6, 0x42, 0x30, 0x12, 0x63, 0x11, 0x4b, 0x93, 0x02, 0x49, 0xa5, 0xf1, 0xfe, 0xaf, - 0xfe, 0x9e, 0x5e, 0xfb, 0x33, 0x0a, 0x71, 0x28, 0xc7, 0x5d, 0xb8, 0x08, 0x7a, 0xd4, 0x33, 0xcf, - 0xcc, 0x70, 0x3e, 0x9e, 0x11, 0xec, 0x4d, 0x98, 0xc9, 0xfa, 0x0f, 0xef, 0xa8, 0xc8, 0x33, 0xfa, - 0xae, 0x9f, 0x28, 0x79, 0xcf, 0xc7, 0xbd, 0x5c, 0x2b, 0xab, 0xc2, 0x97, 0xdc, 0x58, 0xae, 0x7a, - 0x25, 0xa3, 0x57, 0x31, 0xf6, 0xfe, 0x3f, 0x56, 0x6a, 0x2c, 0x58, 0xdf, 0x51, 0xee, 0x8a, 0xfb, - 0x7e, 0x5a, 0x68, 0x6a, 0xb9, 0x92, 0xe8, 0xb4, 0xff, 0xe7, 0x1a, 0x34, 0x86, 0x5a, 0x3d, 0x4e, - 0x4f, 0x5c, 0xa8, 0xf0, 0x0b, 0x68, 0x60, 0x50, 0x92, 0x53, 0x9b, 0x45, 0xb5, 0x4e, 0xad, 0xbb, - 0x11, 0x03, 0x42, 0x43, 0x6a, 0xb3, 0x92, 0x70, 0xc7, 0x25, 0xd5, 0x53, 0x24, 0x2c, 0x21, 0x01, - 0x21, 0x47, 0xf8, 0x0a, 0x5a, 0x86, 0xe9, 0x07, 0x9e, 0x30, 0x92, 0x88, 0xc2, 0x58, 0xa6, 0xa3, - 0x65, 0x47, 0x0a, 0x3c, 0x7c, 0x82, 0x68, 0xf8, 0x0b, 0x04, 0xa9, 0xa6, 0x5c, 0x92, 0xea, 0x49, - 0xd1, 0x4a, 0xa7, 0xd6, 0x6d, 0x1c, 0xbe, 0xee, 0xe1, 0x9b, 0x7b, 0xd5, 0x9b, 0x7b, 0xa7, 0x9e, - 0x10, 0x37, 0x9d, 0x43, 0xf5, 0x19, 0xde, 0x40, 0x94, 0x53, 0xcd, 0xa4, 0x25, 0x26, 0x2b, 0x6c, - 0xaa, 0x7e, 0x9f, 0x8b, 0xb5, 0xfa, 0x5c, 0xac, 0x5d, 0x74, 0xbd, 0xf1, 0x9e, 0xb3, 0xa0, 0xdf, - 0xc0, 0x56, 0xca, 0x4d, 0xa2, 0x1e, 0x98, 0x9e, 0x12, 0x9a, 0xa6, 0x9a, 0x19, 0x13, 0xad, 0xb9, - 0x0a, 0xda, 0x33, 0xc3, 0x11, 0xe2, 0xe1, 0x6f, 0xf0, 0xea, 0x89, 0xac, 0xd9, 0xbd, 0x66, 0x26, - 0x23, 0x29, 0x13, 0x74, 0x1a, 0xd5, 0x9f, 0x7b, 0xc0, 0xce, 0xcc, 0x33, 0x46, 0xc7, 0xd3, 0xd2, - 0x2f, 0xfc, 0x12, 0x82, 0x4f, 0x3c, 0xff, 0xc8, 0xe5, 0x2c, 0xf9, 0xba, 0x4b, 0xde, 0x44, 0xb4, - 0xca, 0x7c, 0x0c, 0xad, 0x44, 0x49, 0xc9, 0x12, 0x4b, 0x2c, 0x9f, 0x30, 0x55, 0xd8, 0x68, 0xe3, - 0xb9, 0x8c, 0x81, 0xf7, 0x18, 0xa1, 0x43, 0xf8, 0x2d, 0x84, 0xc6, 0x52, 0x6b, 0x52, 0x52, 0xa4, - 0xf9, 0x2c, 0x1d, 0x60, 0xad, 0x68, 0xb9, 0x4d, 0xf3, 0x2a, 0x63, 0x17, 0xda, 0x79, 0xb9, 0x29, - 0x84, 0xa6, 0x13, 0x2e, 0x49, 0xae, 0xb4, 0x8d, 0x1a, 0x9d, 0x5a, 0x77, 0x35, 0x0e, 0x1c, 0x7e, - 0x54, 0xc2, 0x43, 0xa5, 0x6d, 0xd9, 0x42, 0xfa, 0x40, 0xb9, 0xa0, 0x77, 0x5c, 0x70, 0x3b, 0x25, - 0x9f, 0x94, 0x64, 0xd1, 0x26, 0x86, 0x9d, 0x37, 0x7c, 0x50, 0x92, 0x85, 0x29, 0xbc, 0x4e, 0x94, - 0xb4, 0x5a, 0x09, 0x92, 0x0b, 0x2a, 0x19, 0xa1, 0x85, 0xcd, 0x48, 0xae, 0x04, 0x4f, 0xa6, 0x51, - 0xb3, 0x53, 0xeb, 0x06, 0x87, 0x5f, 0xf7, 0x16, 0xac, 0x76, 0xef, 0xa8, 0xb0, 0x19, 0x93, 0x96, - 0x27, 0xae, 0xb8, 0xa1, 0x73, 0x88, 0x77, 0x7d, 0xac, 0x61, 0x19, 0xaa, 0x64, 0x20, 0x5e, 0x96, - 0x9a, 0x14, 0xc6, 0xaa, 0x09, 0xf1, 0xeb, 0x7d, 0xcf, 0x05, 0x8b, 0x02, 0x7c, 0x13, 0x5a, 0x50, - 0x01, 0xe7, 0x5c, 0xb0, 0xb2, 0xd4, 0xb2, 0x7c, 0x22, 0xe9, 0x84, 0x11, 0xc1, 0xe4, 0xd8, 0x66, - 0x51, 0x0b, 0x4b, 0x2d, 0xf1, 0x2b, 0x3a, 0x61, 0x03, 0x87, 0x86, 0x1d, 0xa7, 0x97, 0xa4, 0xd0, - 0x9a, 0xc9, 0x64, 0x1a, 0xb5, 0x1d, 0x69, 0x1e, 0xda, 0xff, 0xa3, 0x0e, 0x70, 0xc9, 0x4c, 0xe6, - 0x05, 0xf6, 0x1d, 0x6c, 0xb3, 0x71, 0xd9, 0x4f, 0x52, 0x35, 0x13, 0xbb, 0x8e, 0x4a, 0x0b, 0xd1, - 0x36, 0xc4, 0x7e, 0x62, 0xdf, 0xdf, 0x40, 0x73, 0xc2, 0x1f, 0x99, 0x9e, 0x51, 0x51, 0x73, 0x9b, - 0x0e, 0xac, 0x48, 0x87, 0x50, 0xae, 0x13, 0xbd, 0x13, 0xcc, 0xb7, 0x8e, 0x24, 0x19, 0x4b, 0x3e, - 0x1a, 0xa7, 0xbd, 0xf5, 0xf8, 0xa5, 0x37, 0x62, 0x37, 0x4e, 0x9c, 0x29, 0x3c, 0x80, 0x2d, 0x7c, - 0x83, 0xe0, 0xc6, 0x32, 0x3f, 0xd1, 0x15, 0x57, 0x41, 0xcb, 0x19, 0x06, 0x0e, 0x77, 0x23, 0x7d, - 0x0b, 0x08, 0x91, 0xcc, 0xda, 0x1c, 0x99, 0xab, 0x8e, 0xd9, 0x74, 0xf0, 0x7b, 0x6b, 0x73, 0xc7, - 0x5b, 0xb0, 0x96, 0x6b, 0xff, 0x75, 0x2d, 0xdf, 0x40, 0x93, 0x4b, 0xec, 0x51, 0x22, 0xa8, 0x31, - 0x4e, 0x4a, 0x1b, 0xf1, 0xa6, 0x07, 0x4f, 0x4a, 0xac, 0x3c, 0x33, 0x15, 0xc9, 0xdf, 0x15, 0xaf, - 0x93, 0xc0, 0xc3, 0x37, 0x88, 0x86, 0x13, 0x78, 0x35, 0x8b, 0x86, 0xbb, 0x21, 0x98, 0x26, 0x13, - 0x95, 0x32, 0x27, 0x98, 0xe0, 0xf0, 0xc7, 0x85, 0xdb, 0xf5, 0x34, 0xb2, 0xde, 0x85, 0xcf, 0x3b, - 0xf3, 0xbe, 0x54, 0x29, 0x8b, 0x77, 0xf8, 0x22, 0x38, 0xbc, 0x86, 0xc6, 0xfc, 0x02, 0x83, 0x4b, - 0x71, 0xf0, 0x5c, 0x8a, 0xa7, 0x4d, 0x3d, 0x5e, 0x8a, 0x6a, 0x31, 0xd0, 0xa7, 0xcd, 0x3d, 0x83, - 0x2d, 0x9d, 0x9a, 0xcf, 0x8e, 0x4b, 0xe3, 0xb9, 0x9e, 0xb6, 0x74, 0x6a, 0x3e, 0x3f, 0x2b, 0x4c, - 0xba, 0xfd, 0xb0, 0x9a, 0x26, 0x5c, 0x8e, 0x9d, 0x20, 0xd7, 0xe3, 0x26, 0xa2, 0x23, 0x04, 0xcb, - 0x39, 0xd3, 0x24, 0x29, 0x9b, 0x25, 0x94, 0x17, 0x49, 0x13, 0xcf, 0x0f, 0xc2, 0x03, 0x85, 0x0a, - 0xf9, 0x15, 0x82, 0x94, 0xdd, 0xd3, 0x42, 0x58, 0x2f, 0x28, 0xa7, 0xa5, 0xc6, 0x61, 0x67, 0x61, - 0xa5, 0x73, 0x7f, 0x98, 0xb8, 0xe9, 0xfd, 0xbc, 0x1e, 0x7e, 0x80, 0xdd, 0x89, 0x15, 0x86, 0xb0, - 0xc7, 0x44, 0x14, 0x29, 0x4b, 0xab, 0x69, 0x9a, 0xa8, 0xd5, 0x59, 0xee, 0x6e, 0xc4, 0xdb, 0xa5, - 0xf5, 0xcc, 0x1b, 0xfd, 0x4c, 0xcd, 0xfe, 0x4f, 0xb0, 0xb3, 0x70, 0x2a, 0x61, 0x1d, 0x96, 0xaf, - 0xcf, 0xcf, 0xdb, 0x2f, 0xc2, 0x06, 0xd4, 0x4f, 0xcf, 0xce, 0x8f, 0x6e, 0x07, 0xa3, 0x76, 0x2d, - 0x04, 0x58, 0xbb, 0x19, 0xc5, 0x17, 0x27, 0xa3, 0xf6, 0xd2, 0xfe, 0x5b, 0x80, 0xb9, 0xbb, 0xb0, - 0x0e, 0x2b, 0x57, 0xd7, 0x57, 0x67, 0xed, 0x17, 0x61, 0x00, 0x70, 0x79, 0x3b, 0xba, 0x3d, 0x1a, - 0x90, 0xd1, 0xe0, 0xa6, 0x5d, 0x3b, 0xf8, 0x19, 0xb6, 0x17, 0x5d, 0x98, 0x7f, 0xf7, 0x08, 0x37, - 0xa1, 0x7e, 0x71, 0xf5, 0xfe, 0x2c, 0xbe, 0x18, 0xb5, 0xff, 0xaa, 0x1f, 0xff, 0xef, 0xc3, 0x1e, - 0xb6, 0x82, 0xab, 0x3e, 0xcd, 0x79, 0xff, 0x1f, 0x7f, 0xee, 0xbb, 0x35, 0x37, 0xb2, 0xef, 0xff, - 0x0e, 0x00, 0x00, 0xff, 0xff, 0x2e, 0xbd, 0xe4, 0xe0, 0xd1, 0x07, 0x00, 0x00, + // 958 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x55, 0x4b, 0x6f, 0x1b, 0x37, + 0x10, 0x8e, 0xfc, 0x92, 0x3d, 0xb2, 0x56, 0x6b, 0x3a, 0x76, 0x36, 0x46, 0xd1, 0x0a, 0x2e, 0x9a, + 0xaa, 0x6e, 0x20, 0x21, 0x6e, 0x7b, 0xe8, 0xa5, 0xa8, 0x9f, 0x8d, 0x01, 0xf9, 0xd1, 0x95, 0x7c, + 0xc9, 0x85, 0xa0, 0x77, 0x69, 0x2d, 0x11, 0x8a, 0x5c, 0x90, 0x5c, 0xd7, 0xca, 0x9f, 0x2d, 0x7a, + 0xeb, 0xcf, 0x28, 0xf8, 0x90, 0xac, 0x06, 0x2a, 0x8c, 0x1e, 0xf5, 0xcd, 0x37, 0x33, 0x3b, 0x9c, + 0xef, 0x1b, 0xc1, 0xde, 0x98, 0xea, 0xa2, 0xf7, 0xf0, 0x8e, 0xf0, 0xb2, 0x20, 0xef, 0x7a, 0x99, + 0x14, 0xf7, 0x6c, 0xd4, 0x2d, 0x95, 0x34, 0x12, 0x6d, 0x33, 0x6d, 0x98, 0xec, 0x5a, 0x46, 0x77, + 0xca, 0xd8, 0xfb, 0x72, 0x24, 0xe5, 0x88, 0xd3, 0x9e, 0xa3, 0xdc, 0x55, 0xf7, 0xbd, 0xbc, 0x52, + 0xc4, 0x30, 0x29, 0x7c, 0xd2, 0xfe, 0x9f, 0x6b, 0xd0, 0xb8, 0x51, 0xf2, 0x71, 0x72, 0xe2, 0x4a, + 0xa1, 0xaf, 0xa0, 0xe1, 0x8b, 0xe2, 0x92, 0x98, 0x22, 0xa9, 0xb5, 0x6b, 0x9d, 0x8d, 0x14, 0x3c, + 0x74, 0x43, 0x4c, 0x61, 0x09, 0x77, 0x4c, 0x10, 0x35, 0xf1, 0x84, 0x25, 0x4f, 0xf0, 0x90, 0x23, + 0x7c, 0x0b, 0x2d, 0x4d, 0xd5, 0x03, 0xcb, 0x28, 0xce, 0x78, 0xa5, 0x0d, 0x55, 0xc9, 0xb2, 0x23, + 0x45, 0x01, 0x3e, 0xf1, 0x28, 0xfa, 0x15, 0xa2, 0x5c, 0x11, 0x26, 0xf0, 0xf4, 0x93, 0x92, 0x95, + 0x76, 0xad, 0xd3, 0x38, 0x7c, 0xdd, 0xf5, 0xdf, 0xdc, 0x9d, 0x7e, 0x73, 0xf7, 0x34, 0x10, 0xd2, + 0xa6, 0x4b, 0x98, 0xfe, 0x44, 0x03, 0x48, 0x4a, 0xa2, 0xa8, 0x30, 0x58, 0x17, 0x95, 0xc9, 0xe5, + 0x1f, 0x73, 0xb5, 0x56, 0x9f, 0xab, 0xb5, 0xeb, 0x53, 0x07, 0x21, 0x73, 0x56, 0xf4, 0x7b, 0xd8, + 0xca, 0x99, 0xce, 0xe4, 0x03, 0x55, 0x13, 0x4c, 0xf2, 0x5c, 0x51, 0xad, 0x93, 0x35, 0x37, 0x41, + 0x3c, 0x0b, 0x1c, 0x79, 0x1c, 0xfd, 0x0e, 0xaf, 0x9e, 0xc8, 0x8a, 0xde, 0x2b, 0xaa, 0x0b, 0x9c, + 0x53, 0x4e, 0x26, 0x49, 0xfd, 0xb9, 0x0f, 0xd8, 0x99, 0x65, 0xa6, 0x3e, 0xf1, 0xd4, 0xe6, 0xa1, + 0x6f, 0x20, 0xfa, 0xc4, 0xca, 0x8f, 0x4c, 0xcc, 0x9a, 0xaf, 0xbb, 0xe6, 0x4d, 0x8f, 0x4e, 0x3b, + 0x1f, 0x43, 0x2b, 0x93, 0x42, 0xd0, 0xcc, 0x60, 0xc3, 0xc6, 0x54, 0x56, 0x26, 0xd9, 0x78, 0xae, + 0x63, 0x14, 0x32, 0x86, 0x3e, 0x01, 0xbd, 0x05, 0xa4, 0x0d, 0x31, 0x3a, 0xc7, 0x55, 0x5e, 0xce, + 0xda, 0x81, 0x9f, 0xd5, 0x47, 0x6e, 0xf3, 0x72, 0xda, 0xb1, 0x03, 0x71, 0x69, 0x95, 0x82, 0x49, + 0x3e, 0x66, 0x02, 0x97, 0x52, 0x99, 0xa4, 0xd1, 0xae, 0x75, 0x56, 0xd3, 0xc8, 0xe1, 0x47, 0x16, + 0xbe, 0x91, 0xca, 0xd8, 0x27, 0x24, 0x0f, 0x84, 0x71, 0x72, 0xc7, 0x38, 0x33, 0x13, 0xfc, 0x49, + 0x0a, 0x9a, 0x6c, 0xfa, 0xb2, 0xf3, 0x81, 0x0f, 0x52, 0x50, 0x94, 0xc3, 0xeb, 0x4c, 0x0a, 0xa3, + 0x24, 0xc7, 0x25, 0x27, 0x82, 0x62, 0x52, 0x99, 0x02, 0x97, 0x92, 0xb3, 0x6c, 0x92, 0x34, 0xdb, + 0xb5, 0x4e, 0x74, 0xf8, 0x5d, 0x77, 0x81, 0xb4, 0xbb, 0x47, 0x95, 0x29, 0xa8, 0x30, 0x2c, 0x73, + 0xc3, 0xdd, 0xb8, 0x84, 0x74, 0x37, 0xd4, 0xba, 0xb1, 0xa5, 0x2c, 0xc3, 0xe3, 0x76, 0xd4, 0xac, + 0xd2, 0x46, 0x8e, 0x71, 0x90, 0xf7, 0x3d, 0xe3, 0x34, 0x89, 0xfc, 0x37, 0xf9, 0x88, 0x77, 0xc0, + 0x39, 0xe3, 0xd4, 0x8e, 0x6a, 0xc7, 0xc7, 0x82, 0x8c, 0x29, 0xe6, 0x54, 0x8c, 0x4c, 0x91, 0xb4, + 0xfc, 0xa8, 0x16, 0xbf, 0x22, 0x63, 0xda, 0x77, 0x28, 0x6a, 0x3b, 0xbf, 0x64, 0x95, 0x52, 0x54, + 0x64, 0x93, 0x24, 0x76, 0xa4, 0x79, 0x68, 0xff, 0xaf, 0x3a, 0xc0, 0x25, 0xd5, 0x45, 0x30, 0xd8, + 0x5b, 0x40, 0x63, 0xf6, 0x48, 0x15, 0xce, 0x0a, 0x9a, 0x7d, 0xc4, 0xd6, 0x13, 0x54, 0x05, 0x9f, + 0xc5, 0x2e, 0x72, 0x62, 0x03, 0x03, 0x87, 0xa3, 0x2e, 0x6c, 0x7b, 0xb6, 0xa2, 0xf6, 0xbd, 0xa7, + 0x74, 0xef, 0xba, 0x2d, 0x17, 0x4a, 0x5d, 0x24, 0xf0, 0x0f, 0xc1, 0xaa, 0x8a, 0xdc, 0x71, 0x1a, + 0x5e, 0xd0, 0xb7, 0xd1, 0xce, 0x82, 0xeb, 0xe9, 0x76, 0x08, 0xfa, 0x47, 0x71, 0x8d, 0x34, 0x3a, + 0x80, 0x2d, 0xbf, 0x57, 0xce, 0xb4, 0xa1, 0x61, 0xb1, 0x2b, 0x6e, 0x90, 0x96, 0x0b, 0xf4, 0x1d, + 0xee, 0x36, 0xfb, 0x06, 0x3c, 0x84, 0x0b, 0x63, 0x4a, 0xcf, 0x5c, 0x75, 0xcc, 0xa6, 0x83, 0xdf, + 0x1b, 0x53, 0x3a, 0xde, 0x02, 0x75, 0xae, 0xfd, 0x5f, 0x75, 0x7e, 0x0d, 0x4d, 0x26, 0x46, 0x56, + 0x7a, 0x38, 0xe3, 0x44, 0x6b, 0xe7, 0xa8, 0x8d, 0x74, 0x33, 0x80, 0x27, 0x16, 0xb3, 0xd7, 0x66, + 0x4a, 0x0a, 0xe7, 0x25, 0xd8, 0x25, 0x0a, 0xf0, 0xc0, 0xa3, 0x68, 0x0c, 0xaf, 0x66, 0xd5, 0xbc, + 0x44, 0x38, 0x55, 0x78, 0x2c, 0x73, 0xea, 0x7c, 0x13, 0x1d, 0xfe, 0xb4, 0x50, 0x64, 0x4f, 0x9b, + 0xeb, 0x5e, 0x84, 0xbe, 0xb3, 0xec, 0x4b, 0x99, 0xd3, 0x74, 0x87, 0x2d, 0x82, 0xd1, 0x35, 0x34, + 0xe6, 0x75, 0x0c, 0xae, 0xc5, 0xc1, 0x73, 0x2d, 0x9e, 0x04, 0x7b, 0xbc, 0x94, 0xd4, 0x52, 0x20, + 0x4f, 0x02, 0x3e, 0x83, 0x2d, 0x95, 0xeb, 0xcf, 0x6e, 0x4c, 0xe3, 0xb9, 0x37, 0x6d, 0xa9, 0x5c, + 0x7f, 0x7e, 0x5d, 0xa8, 0x70, 0xfa, 0x30, 0x8a, 0x64, 0x4c, 0x8c, 0x9c, 0x2f, 0xd7, 0xd3, 0xa6, + 0x47, 0x87, 0x1e, 0xb4, 0x7b, 0x26, 0x59, 0x66, 0x1f, 0x8b, 0xcb, 0xe0, 0x95, 0xa6, 0xbf, 0x42, + 0x1e, 0xee, 0x4b, 0x6f, 0x94, 0xdf, 0x20, 0xca, 0xe9, 0x3d, 0xa9, 0xb8, 0x09, 0xbe, 0x72, 0x96, + 0x6a, 0x1c, 0xb6, 0x17, 0x4e, 0x3a, 0xf7, 0x47, 0x93, 0x36, 0x43, 0x5e, 0xb0, 0xc5, 0x8f, 0xb0, + 0x3b, 0x36, 0x5c, 0x63, 0xfa, 0x98, 0xf1, 0x2a, 0xa7, 0xf9, 0x74, 0x9b, 0x3a, 0x69, 0xb5, 0x97, + 0x3b, 0x1b, 0xe9, 0x4b, 0x1b, 0x3d, 0x0b, 0xc1, 0xb0, 0x53, 0x6d, 0x25, 0xe2, 0xed, 0x31, 0xbd, + 0x5d, 0xb1, 0x97, 0x88, 0x03, 0xc3, 0xdd, 0xda, 0xff, 0x19, 0x76, 0x16, 0xae, 0x0e, 0xd5, 0x61, + 0xf9, 0xfa, 0xfc, 0x3c, 0x7e, 0x81, 0x1a, 0x50, 0x3f, 0x3d, 0x3b, 0x3f, 0xba, 0xed, 0x0f, 0xe3, + 0x1a, 0x02, 0x58, 0x1b, 0x0c, 0xd3, 0x8b, 0x93, 0x61, 0xbc, 0xb4, 0xff, 0x06, 0x60, 0xee, 0x86, + 0xac, 0xc3, 0xca, 0xd5, 0xf5, 0xd5, 0x59, 0xfc, 0x02, 0x45, 0x00, 0x97, 0xb7, 0xc3, 0xdb, 0xa3, + 0x3e, 0x1e, 0xf6, 0x07, 0x71, 0xed, 0xe0, 0x17, 0x78, 0xb9, 0xe8, 0x1a, 0xfd, 0x77, 0x06, 0xda, + 0x84, 0xfa, 0xc5, 0xd5, 0xfb, 0xb3, 0xf4, 0x62, 0x18, 0xff, 0x5d, 0x3f, 0xfe, 0xe2, 0xc3, 0x9e, + 0x7f, 0x2f, 0x26, 0x7b, 0xa4, 0x64, 0xbd, 0x7f, 0xfd, 0xcb, 0xdf, 0xad, 0xb9, 0xbd, 0xfe, 0xf0, + 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xde, 0xe8, 0x6d, 0xe0, 0xfd, 0x07, 0x00, 0x00, } diff --git a/mesh/v1alpha1/config.proto b/mesh/v1alpha1/config.proto index 1c79ef32ba9..8dc99f665dc 100644 --- a/mesh/v1alpha1/config.proto +++ b/mesh/v1alpha1/config.proto @@ -117,15 +117,25 @@ message ProxyConfig { // MeshConfig defines mesh-wide variables shared by all Envoy instances in the // Istio service mesh. message MeshConfig { - // Address of the egress Envoy service (e.g. _istio-egress:80_). - string egress_proxy_address = 1; - - // Address of the mixer service (e.g. _istio-mixer:15004_). - // Empty value disables Mixer checks and telemetry. - string mixer_address = 2; - - // Disable policy checks by the mixer service. Metrics will still be - // reported to the mixer for HTTP requests and TCP connections. Default + // Address of the server that will be used by the proxies for policy + // check calls (e.g. _istio-mixer:15004_). By using different names for + // mixerCheckServer and mixerReportServer, it is possible to have one set + // of mixer servers handle policy check calls, while another set of mixer + // servers handle telemetry calls. + // + // NOTE: Omitting mixerCheckServer while specifying mixerReportServer is + // equivalent to setting disablePolicyChecks to true. + string mixer_check_server = 1; + + // Address of the server that will be used by the proxies as an Istio + // telemetry sink (access logs, API/connection metrics) + // (e.g. _istio-mixer:15004_). By using different names for + // mixerCheckServer and mixerReportServer, it is possible to have one set + // of mixer servers handle policy check calls, while another set of mixer + // servers handle telemetry calls. + string mixer_report_server = 2; + + // Disable policy checks by the mixer service. Default // is false, i.e. mixer policy check is enabled by default. bool disable_policy_checks = 3; @@ -208,4 +218,8 @@ message MeshConfig { // DO NOT use this setting for services that are managed by Istio (i.e. using Istio sidecar). // Instead, use service-level annotations to overwrite the authentication policy. repeated string mtls_excluded_services = 15; + + // DEPRECATED. Mixer address. This option will be removed soon. Please + // use mixer_check_server and mixer_report_server. + string mixer_address = 16; } diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index 75ae2c6a7d6..f6d80d17f8c 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -60,20 +60,31 @@

MeshConfig

- -egressProxyAddress + +mixerCheckServer string -

Address of the egress Envoy service (e.g. istio-egress:80).

+

Address of the server that will be used by the proxies for policy +check calls (e.g. istio-mixer:15004). By using different names for +mixerCheckServer and mixerReportServer, it is possible to have one set +of mixer servers handle policy check calls, while another set of mixer +servers handle telemetry calls.

+ +

NOTE: Omitting mixerCheckServer while specifying mixerReportServer is +equivalent to setting disablePolicyChecks to true.

- -mixerAddress + +mixerReportServer string -

Address of the mixer service (e.g. istio-mixer:15004). -Empty value disables Mixer checks and telemetry.

+

Address of the server that will be used by the proxies as an Istio +telemetry sink (access logs, API/connection metrics) +(e.g. istio-mixer:15004). By using different names for +mixerCheckServer and mixerReportServer, it is possible to have one set +of mixer servers handle policy check calls, while another set of mixer +servers handle telemetry calls.

@@ -81,8 +92,7 @@

MeshConfig

disablePolicyChecks bool -

Disable policy checks by the mixer service. Metrics will still be -reported to the mixer for HTTP requests and TCP connections. Default +

Disable policy checks by the mixer service. Default is false, i.e. mixer policy check is enabled by default.

@@ -197,6 +207,15 @@

MeshConfig

DO NOT use this setting for services that are managed by Istio (i.e. using Istio sidecar). Instead, use service-level annotations to overwrite the authentication policy.

+ + + +mixerAddress +string + +

DEPRECATED. Mixer address. This option will be removed soon. Please +use mixercheckserver and mixerreportserver.

+ From b068214e5b14acdbb76f0cd32bae9be75c1458cf Mon Sep 17 00:00:00 2001 From: Shriram Rajagopalan Date: Thu, 8 Feb 2018 20:34:52 -0500 Subject: [PATCH 08/15] ci fix (#366) --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 20b0a4f99d9..6adc3d08cd1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,7 +2,7 @@ version: 2 defaults: &defaults working_directory: /go/src/istio.io/api docker: - - image: istio/ci:go1.9-k8s1.7.4 + - image: istio/ci:go1.9-k8s1.9-helm2.7.2-minikube0.25 environment: GOPATH: /go @@ -11,9 +11,9 @@ jobs: <<: *defaults steps: - checkout - - run: ./scripts/generate-protos.sh - run: command: | + ./scripts/generate-protos.sh || die "could not generate *.pb.go" if [[ -n $(git status --porcelain) ]]; then git status git --no-pager diff From 452c6102851e50d9eda9c1ba8099cf802b62f017 Mon Sep 17 00:00:00 2001 From: Hong Zhang Date: Thu, 8 Feb 2018 20:36:26 -0800 Subject: [PATCH 09/15] Update STYLE-GUIDE.md (#343) * Update STYLE-GUIDE.md Mention the CRD kind must match proto message. * Update STYLE-GUIDE.md Mention `apiVersion` must match proto package. * Update STYLE-GUIDE.md Explain apiVersion = group/version. --- STYLE-GUIDE.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/STYLE-GUIDE.md b/STYLE-GUIDE.md index f1df6a65185..451250abfef 100644 --- a/STYLE-GUIDE.md +++ b/STYLE-GUIDE.md @@ -38,8 +38,14 @@ naming convention: ## Versioning When defining Kubernetes Custom Resource Definition (CRD) using -proto3, the proto versioning should match the Kubernetes versioning, -see the following example. +`proto3`, follow the following guidelines: +* The proto `package` name must match the Kubernetes `apiVersion`, + excluding the `.io` DNS suffix and reversing the DNS segment + ordering. The Kubernetes `apiVersion` has the format of + `group/version`. +* The proto message type must match the CRD `kind` name. + +#### Example The Kubernetes CRD: From c1c2c3495c15747a1cb335c35b5cf9ee39277eac Mon Sep 17 00:00:00 2001 From: Hong Zhang Date: Fri, 9 Feb 2018 06:29:22 -0800 Subject: [PATCH 10/15] Update STYLE-GUIDE.md (#369) Update guideline not to use acronyms in API definition. Fixed #364. --- STYLE-GUIDE.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/STYLE-GUIDE.md b/STYLE-GUIDE.md index 451250abfef..5706aeceb23 100644 --- a/STYLE-GUIDE.md +++ b/STYLE-GUIDE.md @@ -23,8 +23,9 @@ naming convention: are recommended to avoid mixture of plural and singular words in a package name. For example, `istio.network.config.v1`. -* Message/enum/method names must use `CamelCase` with embedded - acronyms. For example, `HTTPRequest`. +* Message/enum/method names must use `CamelCase` without any embedded + acronyms, see [#364](https://github.com/istio/api/issues/364) for + reasons. For example, `HttpRequest`. * Enum values must use `UPPERCASE_WITH_UNDERSCORE`. For example, `INT_TYPE`. @@ -38,11 +39,13 @@ naming convention: ## Versioning When defining Kubernetes Custom Resource Definition (CRD) using -`proto3`, follow the following guidelines: +`proto3`, follow these guidelines: + * The proto `package` name must match the Kubernetes `apiVersion`, excluding the `.io` DNS suffix and reversing the DNS segment ordering. The Kubernetes `apiVersion` has the format of `group/version`. + * The proto message type must match the CRD `kind` name. #### Example From ce7c931ee4f216a9847f7f6ab75e8c2543d1386c Mon Sep 17 00:00:00 2001 From: Martin Taillefer Date: Fri, 9 Feb 2018 12:23:30 -0800 Subject: [PATCH 11/15] Update the reference docs. (#371) --- Gopkg.lock | 6 ++--- .../istio.authentication.v1alpha1.pb.html | 4 +-- authentication/v1alpha1/policy.pb.go | 4 ++- .../istio.mixer.v1.config.client.pb.html | 8 +++--- mixer/v1/config/istio.mixer.v1.config.pb.html | 4 +-- mixer/v1/istio.mixer.v1.pb.html | 26 +++++++++---------- rbac/v1alpha1/istio.rbac.v1alpha1.pb.html | 2 +- .../v1alpha1/istio.routing.v1alpha1.pb.html | 8 +++--- .../v1alpha2/istio.routing.v1alpha2.pb.html | 16 ++++++------ 9 files changed, 39 insertions(+), 39 deletions(-) diff --git a/Gopkg.lock b/Gopkg.lock index cebc283276c..8dd71bd5f30 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -59,7 +59,7 @@ branch = "master" name = "github.com/istio/tools" packages = ["protoc-gen-docs"] - revision = "1e861aafb19104e025d5de4f3898f88f6f6b6534" + revision = "c0460eddc3bf4c4183364d61a328ccd6cbc75e5d" [[projects]] branch = "master" @@ -79,7 +79,7 @@ "lex/httplex", "trace" ] - revision = "2fb46b16b8dda405028c50f7c7f0f9dd1fa6bfb1" + revision = "f5dfe339be1d06f81b22525fe34671ee7d2c8904" [[projects]] branch = "master" @@ -100,7 +100,7 @@ "unicode/norm", "unicode/rangetable" ] - revision = "e19ae1496984b1c655b8044a65c0300a3c878dd3" + revision = "4e4a3210bb54bb31f6ab2cdca2edcc0b50c420c1" [[projects]] branch = "master" diff --git a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html index 613d4e70a52..87a45dac0c2 100644 --- a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html +++ b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html @@ -4,7 +4,6 @@ layout: protoc-gen-docs number_of_entries: 6 --- -{% raw %}

This package defines user-facing authentication policy as well as configs that the sidecar proxy uses to perform authentication.

@@ -184,7 +183,7 @@

Policy

spec: match: peers: - - mtls: {} + - mtls: {}

Policy to enable mTLS, and use JWT for productpage:9000

@@ -425,4 +424,3 @@

istio.routing.v1alpha2.Destination -{% endraw %} diff --git a/authentication/v1alpha1/policy.pb.go b/authentication/v1alpha1/policy.pb.go index 9bc9cb3ce95..4e373090d2f 100644 --- a/authentication/v1alpha1/policy.pb.go +++ b/authentication/v1alpha1/policy.pb.go @@ -173,7 +173,9 @@ func (m *Mechanism) String() string { return proto.CompactTextString( func (*Mechanism) ProtoMessage() {} func (*Mechanism) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} } -type isMechanism_Params interface{ isMechanism_Params() } +type isMechanism_Params interface { + isMechanism_Params() +} type Mechanism_None struct { None *None `protobuf:"bytes,1,opt,name=none,oneof"` diff --git a/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html b/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html index d10c2c1bbb6..c4eaebcaecd 100644 --- a/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html +++ b/mixer/v1/config/client/istio.mixer.v1.config.client.pb.html @@ -87,7 +87,7 @@

AttributeMatch

clause -map<string, StringMatch> +map<string,StringMatch>

Map of attribute names to StringMatch type. Each map element specifies one condition to match.

@@ -507,7 +507,7 @@

HttpClientConfig

serviceConfigs -map<string, ServiceConfig> +map<string,ServiceConfig>

Map of control configuration indexed by destination.service. This is used to support per-service configuration for cases where a @@ -595,7 +595,7 @@

IstioService

labels -map<string, string> +map<string,string>

Optional one or more labels that uniquely identify the service version.

@@ -1270,7 +1270,7 @@

istio.mixer.v1.Attributes

attributes -map<string, istio.mixer.v1.Attributes.AttributeValue> +map<string,istio.mixer.v1.Attributes.AttributeValue>

A map of attribute name to its value.

diff --git a/mixer/v1/config/istio.mixer.v1.config.pb.html b/mixer/v1/config/istio.mixer.v1.config.pb.html index e52bc0519e1..306e8731b78 100644 --- a/mixer/v1/config/istio.mixer.v1.config.pb.html +++ b/mixer/v1/config/istio.mixer.v1.config.pb.html @@ -84,7 +84,7 @@

AttributeManifest

attributes -map<string, AttributeManifest.AttributeInfo> +map<string,AttributeManifest.AttributeInfo>

The set of attributes this Istio component will be responsible for producing at runtime. We map from attribute name to the attribute’s specification. The name of an attribute, @@ -370,7 +370,7 @@

google.protobuf.Struct

fields -map<string, google.protobuf.Value> +map<string,google.protobuf.Value>

Unordered map of dynamically typed values.

diff --git a/mixer/v1/istio.mixer.v1.pb.html b/mixer/v1/istio.mixer.v1.pb.html index 68264dfe444..11d7fc07438 100644 --- a/mixer/v1/istio.mixer.v1.pb.html +++ b/mixer/v1/istio.mixer.v1.pb.html @@ -92,7 +92,7 @@

Attributes

attributes -map<string, Attributes.AttributeValue> +map<string,Attributes.AttributeValue>

A map of attribute name to its value.

@@ -196,7 +196,7 @@

Attributes.StringMap

entries -map<string, string> +map<string,string>

Holds a set of name/value pairs.

@@ -250,7 +250,7 @@

CheckRequest

quotas -map<string, CheckRequest.QuotaParams> +map<string,CheckRequest.QuotaParams>

The individual quotas to allocate

@@ -314,7 +314,7 @@

CheckResponse

quotas -map<string, CheckResponse.QuotaResult> +map<string,CheckResponse.QuotaResult>

The resulting quota, one entry per requested quota.

@@ -457,7 +457,7 @@

CompressedAttributes

strings -map<int32, int32> +map<int32,int32>

Holds attributes of type STRING, DNSNAME, EMAILADDRESS, URI

@@ -465,7 +465,7 @@

CompressedAttributes

int64s -map<int32, int64> +map<int32,int64>

Holds attributes of type INT64

@@ -473,7 +473,7 @@

CompressedAttributes

doubles -map<int32, double> +map<int32,double>

Holds attributes of type DOUBLE

@@ -481,7 +481,7 @@

CompressedAttributes

bools -map<int32, bool> +map<int32,bool>

Holds attributes of type BOOL

@@ -489,7 +489,7 @@

CompressedAttributes

timestamps -map<int32, google.protobuf.Timestamp> +map<int32,google.protobuf.Timestamp>

Holds attributes of type TIMESTAMP

@@ -497,7 +497,7 @@

CompressedAttributes

durations -map<int32, google.protobuf.Duration> +map<int32,google.protobuf.Duration>

Holds attributes of type DURATION

@@ -505,7 +505,7 @@

CompressedAttributes

bytes -map<int32, bytes> +map<int32,bytes>

Holds attributes of type BYTES

@@ -513,7 +513,7 @@

CompressedAttributes

stringMaps -map<int32, StringMap> +map<int32,StringMap>

Holds attributes of type STRING_MAP

@@ -740,7 +740,7 @@

StringMap

entries -map<int32, int32> +map<int32,int32>

Holds a set of name/value pairs.

diff --git a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html b/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html index bcefdc887e8..83cfbed8bba 100644 --- a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html +++ b/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html @@ -319,7 +319,7 @@

Subject

properties -map<string, string> +map<string,string>

Optional. The set of properties that identify the subject. In the above ServiceRoleBinding example, the second subject has two properties: diff --git a/routing/v1alpha1/istio.routing.v1alpha1.pb.html b/routing/v1alpha1/istio.routing.v1alpha1.pb.html index 1246332b587..e1d4f685cbc 100644 --- a/routing/v1alpha1/istio.routing.v1alpha1.pb.html +++ b/routing/v1alpha1/istio.routing.v1alpha1.pb.html @@ -456,7 +456,7 @@

DestinationWeight

labels -map<string, string> +map<string,string>

Sometimes required. Service version identifier for the destination service. (– N.B. The map is used instead of pstruct due to lack of serialization support @@ -1213,7 +1213,7 @@

IstioService

labels -map<string, string> +map<string,string>

Optional one or more labels that uniquely identify the service version.

@@ -1581,7 +1581,7 @@

MatchRequest

headers -map<string, StringMatch> +map<string,StringMatch>

Set of HTTP match conditions based on HTTP/1.1, HTTP/2, GRPC request metadata, such as uri, scheme, authority. The header keys must be @@ -1780,7 +1780,7 @@

RouteRule

appendHeaders -map<string, string> +map<string,string>

Additional HTTP headers to add before forwarding a request to the destnation service.

diff --git a/routing/v1alpha2/istio.routing.v1alpha2.pb.html b/routing/v1alpha2/istio.routing.v1alpha2.pb.html index 222f26e1063..ebbe08fc77a 100644 --- a/routing/v1alpha2/istio.routing.v1alpha2.pb.html +++ b/routing/v1alpha2/istio.routing.v1alpha2.pb.html @@ -904,7 +904,7 @@

ExternalService.Endpoint

ports -map<string, uint32> +map<string,uint32>

Set of ports associated with the endpoint. The ports must be associated with a port name that was declared as part of the @@ -914,7 +914,7 @@

ExternalService.Endpoint

labels -map<string, string> +map<string,string>

One or more labels associated with the endpoint.

@@ -1067,7 +1067,7 @@

Gateway

selector -map<string, string> +map<string,string>

REQUIRED: One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied.

@@ -1363,7 +1363,7 @@

HTTPMatchRequest

headers -map<string, StringMatch> +map<string,StringMatch>

The header keys must be lowercase and use hyphen as the separator, e.g. x-request-id.

@@ -1397,7 +1397,7 @@

HTTPMatchRequest

sourceLabels -map<string, string> +map<string,string>

One or more labels that constrain the applicability of a rule to workloads with the given labels. If the route rule has a list of @@ -1704,7 +1704,7 @@

HTTPRoute

appendHeaders -map<string, string> +map<string,string>

Additional HTTP headers to add before forwarding a request to the destination service.

@@ -1765,7 +1765,7 @@

L4MatchAttributes

sourceLabels -map<string, string> +map<string,string>

One or more labels that constrain the applicability of a rule to workloads with the given labels. If the route rule has a list of @@ -2573,7 +2573,7 @@

Subset

labels -map<string, string> +map<string,string>

REQUIRED. Labels apply a filter over the endpoints of a service in the service registry. See route rules for examples of usage.

From 1df15940e081fe973f7b971b0f4da578f2bd14a7 Mon Sep 17 00:00:00 2001 From: Hong Zhang Date: Fri, 9 Feb 2018 12:50:00 -0800 Subject: [PATCH 12/15] Update STYLE-GUIDE.md (#373) Add a rule for repeated fields. --- STYLE-GUIDE.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/STYLE-GUIDE.md b/STYLE-GUIDE.md index 5706aeceb23..e9d58f8efc5 100644 --- a/STYLE-GUIDE.md +++ b/STYLE-GUIDE.md @@ -1,8 +1,8 @@ # Istio API Style Guide This page defines the design guidelines for Istio APIs. They apply to -all proto files in the Istio project. Developers who create their APIs -using Istio may find these guidelines useful as well. +all proto files in the Istio project. Developers who create their own +APIs using Istio should find these guidelines useful as well. Since Istio APIs are based on _proto3_ and _gRPC_, we will use Google's [API Design Guide](https://cloud.google.com/apis/design) as @@ -16,8 +16,8 @@ followed for Istio APIs. ## Naming Having consistent naming improves understanding of the APIs and reduce -churns on the API design. Istio APIs should follow the following -naming convention: +churns on the API design. Istio APIs should follow these naming +conventions: * Package names must use `lowercase` without any `_`. Singular words are recommended to avoid mixture of plural and singular words in @@ -33,7 +33,10 @@ naming convention: * Field names must use `lowercase_with_underscore`. For example, `display_name`. -* Avoid using postpositive adjectives. For example, +* Repeated fields must use proper plural names. For example, + `rules`. + +* Avoid using postpositive adjectives in names. For example, `collected_items` is recommended over `items_collected`. ## Versioning From 3b06e4580731d1d882de996f6b8c8cc15f450625 Mon Sep 17 00:00:00 2001 From: Tao Li Date: Mon, 12 Feb 2018 13:42:48 -0800 Subject: [PATCH 13/15] Add a separate mTLS port for pilot and mixer (#370) * Address comment * Address comment * Fix typo --- mesh/v1alpha1/config.pb.go | 220 ++++++++++++++-------- mesh/v1alpha1/config.proto | 46 +++-- mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 86 +++++++-- 3 files changed, 238 insertions(+), 114 deletions(-) diff --git a/mesh/v1alpha1/config.pb.go b/mesh/v1alpha1/config.pb.go index 6113a1f6efc..bd01b0e1437 100644 --- a/mesh/v1alpha1/config.pb.go +++ b/mesh/v1alpha1/config.pb.go @@ -8,6 +8,7 @@ It is generated from these files: mesh/v1alpha1/config.proto It has these top-level messages: + ServerAddress ProxyConfig MeshConfig */ @@ -95,7 +96,7 @@ func (x MeshConfig_IngressControllerMode) String() string { return proto.EnumName(MeshConfig_IngressControllerMode_name, int32(x)) } func (MeshConfig_IngressControllerMode) EnumDescriptor() ([]byte, []int) { - return fileDescriptor0, []int{1, 0} + return fileDescriptor0, []int{2, 0} } // TODO AuthPolicy needs to be removed and merged with AuthPolicy defined above @@ -120,7 +121,35 @@ var MeshConfig_AuthPolicy_value = map[string]int32{ func (x MeshConfig_AuthPolicy) String() string { return proto.EnumName(MeshConfig_AuthPolicy_name, int32(x)) } -func (MeshConfig_AuthPolicy) EnumDescriptor() ([]byte, []int) { return fileDescriptor0, []int{1, 1} } +func (MeshConfig_AuthPolicy) EnumDescriptor() ([]byte, []int) { return fileDescriptor0, []int{2, 1} } + +// ServerAddress specifies the address of Istio components like mixer, pilot, etc. +// At least one of the field needs to be specified. +type ServerAddress struct { + // The address for mTLS server, e.g., (_istio-pilot:15003_) + MutualTls string `protobuf:"bytes,1,opt,name=mutual_tls,json=mutualTls" json:"mutual_tls,omitempty"` + // The address for plain text server, e.g., (_istio-pilot:15005_) + PlainText string `protobuf:"bytes,2,opt,name=plain_text,json=plainText" json:"plain_text,omitempty"` +} + +func (m *ServerAddress) Reset() { *m = ServerAddress{} } +func (m *ServerAddress) String() string { return proto.CompactTextString(m) } +func (*ServerAddress) ProtoMessage() {} +func (*ServerAddress) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } + +func (m *ServerAddress) GetMutualTls() string { + if m != nil { + return m.MutualTls + } + return "" +} + +func (m *ServerAddress) GetPlainText() string { + if m != nil { + return m.PlainText + } + return "" +} // ProxyConfig defines variables for individual Envoy instances. type ProxyConfig struct { @@ -150,7 +179,7 @@ type ProxyConfig struct { // parent process during a hot restart. MUST be >=1s (e.g., _1s/1m/1h_). // MUST BE greater than _drain_duration_ parameter. ParentShutdownDuration *google_protobuf.Duration `protobuf:"bytes,5,opt,name=parent_shutdown_duration,json=parentShutdownDuration" json:"parent_shutdown_duration,omitempty"` - // Address of the discovery service exposing xDS (e.g. _istio-pilot:8080_). + // Deprecated, use server_address instead. DiscoveryAddress string `protobuf:"bytes,6,opt,name=discovery_address,json=discoveryAddress" json:"discovery_address,omitempty"` // Polling interval for service discovery (used by EDS, CDS, LDS, but not RDS). (MUST BE >=1ms) DiscoveryRefreshDelay *google_protobuf.Duration `protobuf:"bytes,7,opt,name=discovery_refresh_delay,json=discoveryRefreshDelay" json:"discovery_refresh_delay,omitempty"` @@ -180,12 +209,14 @@ type ProxyConfig struct { StatNameLength int32 `protobuf:"varint,15,opt,name=stat_name_length,json=statNameLength" json:"stat_name_length,omitempty"` // The number of worker threads to run. Default value is number of cores on the machine. Concurrency int32 `protobuf:"varint,16,opt,name=concurrency" json:"concurrency,omitempty"` + // Address of the discovery service exposing xDS. + Pilot *ServerAddress `protobuf:"bytes,17,opt,name=pilot" json:"pilot,omitempty"` } func (m *ProxyConfig) Reset() { *m = ProxyConfig{} } func (m *ProxyConfig) String() string { return proto.CompactTextString(m) } func (*ProxyConfig) ProtoMessage() {} -func (*ProxyConfig) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } +func (*ProxyConfig) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } func (m *ProxyConfig) GetConfigPath() string { if m != nil { @@ -299,24 +330,19 @@ func (m *ProxyConfig) GetConcurrency() int32 { return 0 } +func (m *ProxyConfig) GetPilot() *ServerAddress { + if m != nil { + return m.Pilot + } + return nil +} + // MeshConfig defines mesh-wide variables shared by all Envoy instances in the // Istio service mesh. type MeshConfig struct { - // Address of the server that will be used by the proxies for policy - // check calls (e.g. _istio-mixer:15004_). By using different names for - // mixerCheckServer and mixerReportServer, it is possible to have one set - // of mixer servers handle policy check calls, while another set of mixer - // servers handle telemetry calls. - // - // NOTE: Omitting mixerCheckServer while specifying mixerReportServer is - // equivalent to setting disablePolicyChecks to true. + // Deprecated, use mixer_check instead. MixerCheckServer string `protobuf:"bytes,1,opt,name=mixer_check_server,json=mixerCheckServer" json:"mixer_check_server,omitempty"` - // Address of the server that will be used by the proxies as an Istio - // telemetry sink (access logs, API/connection metrics) - // (e.g. _istio-mixer:15004_). By using different names for - // mixerCheckServer and mixerReportServer, it is possible to have one set - // of mixer servers handle policy check calls, while another set of mixer - // servers handle telemetry calls. + // Deprecated, use mixer_report instead. MixerReportServer string `protobuf:"bytes,2,opt,name=mixer_report_server,json=mixerReportServer" json:"mixer_report_server,omitempty"` // Disable policy checks by the mixer service. Default // is false, i.e. mixer policy check is enabled by default. @@ -362,14 +388,25 @@ type MeshConfig struct { // Instead, use service-level annotations to overwrite the authentication policy. MtlsExcludedServices []string `protobuf:"bytes,15,rep,name=mtls_excluded_services,json=mtlsExcludedServices" json:"mtls_excluded_services,omitempty"` // DEPRECATED. Mixer address. This option will be removed soon. Please - // use mixer_check_server and mixer_report_server. + // use mixer_check and mixer_report. MixerAddress string `protobuf:"bytes,16,opt,name=mixer_address,json=mixerAddress" json:"mixer_address,omitempty"` + // Address of the server that will be used by the proxies for policy + // check calls. By using different names for mixerCheck and mixerReport, it + // is possible to have one set of mixer servers handle policy check calls, + // while another set of mixer servers handle telemetry calls. + // + // NOTE: Omitting mixerCheck while specifying mixerReport is + // equivalent to setting disablePolicyChecks to true. + MixerCheck *ServerAddress `protobuf:"bytes,17,opt,name=mixer_check,json=mixerCheck" json:"mixer_check,omitempty"` + // Address of the server that will be used by the proxies for policy report + // calls. + MixerReport *ServerAddress `protobuf:"bytes,18,opt,name=mixer_report,json=mixerReport" json:"mixer_report,omitempty"` } func (m *MeshConfig) Reset() { *m = MeshConfig{} } func (m *MeshConfig) String() string { return proto.CompactTextString(m) } func (*MeshConfig) ProtoMessage() {} -func (*MeshConfig) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } +func (*MeshConfig) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} } func (m *MeshConfig) GetMixerCheckServer() string { if m != nil { @@ -483,7 +520,22 @@ func (m *MeshConfig) GetMixerAddress() string { return "" } +func (m *MeshConfig) GetMixerCheck() *ServerAddress { + if m != nil { + return m.MixerCheck + } + return nil +} + +func (m *MeshConfig) GetMixerReport() *ServerAddress { + if m != nil { + return m.MixerReport + } + return nil +} + func init() { + proto.RegisterType((*ServerAddress)(nil), "istio.mesh.v1alpha1.ServerAddress") proto.RegisterType((*ProxyConfig)(nil), "istio.mesh.v1alpha1.ProxyConfig") proto.RegisterType((*MeshConfig)(nil), "istio.mesh.v1alpha1.MeshConfig") proto.RegisterEnum("istio.mesh.v1alpha1.AuthenticationPolicy", AuthenticationPolicy_name, AuthenticationPolicy_value) @@ -494,65 +546,71 @@ func init() { func init() { proto.RegisterFile("mesh/v1alpha1/config.proto", fileDescriptor0) } var fileDescriptor0 = []byte{ - // 958 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x55, 0x4b, 0x6f, 0x1b, 0x37, - 0x10, 0x8e, 0xfc, 0x92, 0x3d, 0xb2, 0x56, 0x6b, 0x3a, 0x76, 0x36, 0x46, 0xd1, 0x0a, 0x2e, 0x9a, - 0xaa, 0x6e, 0x20, 0x21, 0x6e, 0x7b, 0xe8, 0xa5, 0xa8, 0x9f, 0x8d, 0x01, 0xf9, 0xd1, 0x95, 0x7c, - 0xc9, 0x85, 0xa0, 0x77, 0x69, 0x2d, 0x11, 0x8a, 0x5c, 0x90, 0x5c, 0xd7, 0xca, 0x9f, 0x2d, 0x7a, - 0xeb, 0xcf, 0x28, 0xf8, 0x90, 0xac, 0x06, 0x2a, 0x8c, 0x1e, 0xf5, 0xcd, 0x37, 0x33, 0x3b, 0x9c, - 0xef, 0x1b, 0xc1, 0xde, 0x98, 0xea, 0xa2, 0xf7, 0xf0, 0x8e, 0xf0, 0xb2, 0x20, 0xef, 0x7a, 0x99, - 0x14, 0xf7, 0x6c, 0xd4, 0x2d, 0x95, 0x34, 0x12, 0x6d, 0x33, 0x6d, 0x98, 0xec, 0x5a, 0x46, 0x77, - 0xca, 0xd8, 0xfb, 0x72, 0x24, 0xe5, 0x88, 0xd3, 0x9e, 0xa3, 0xdc, 0x55, 0xf7, 0xbd, 0xbc, 0x52, - 0xc4, 0x30, 0x29, 0x7c, 0xd2, 0xfe, 0x9f, 0x6b, 0xd0, 0xb8, 0x51, 0xf2, 0x71, 0x72, 0xe2, 0x4a, - 0xa1, 0xaf, 0xa0, 0xe1, 0x8b, 0xe2, 0x92, 0x98, 0x22, 0xa9, 0xb5, 0x6b, 0x9d, 0x8d, 0x14, 0x3c, - 0x74, 0x43, 0x4c, 0x61, 0x09, 0x77, 0x4c, 0x10, 0x35, 0xf1, 0x84, 0x25, 0x4f, 0xf0, 0x90, 0x23, - 0x7c, 0x0b, 0x2d, 0x4d, 0xd5, 0x03, 0xcb, 0x28, 0xce, 0x78, 0xa5, 0x0d, 0x55, 0xc9, 0xb2, 0x23, - 0x45, 0x01, 0x3e, 0xf1, 0x28, 0xfa, 0x15, 0xa2, 0x5c, 0x11, 0x26, 0xf0, 0xf4, 0x93, 0x92, 0x95, - 0x76, 0xad, 0xd3, 0x38, 0x7c, 0xdd, 0xf5, 0xdf, 0xdc, 0x9d, 0x7e, 0x73, 0xf7, 0x34, 0x10, 0xd2, - 0xa6, 0x4b, 0x98, 0xfe, 0x44, 0x03, 0x48, 0x4a, 0xa2, 0xa8, 0x30, 0x58, 0x17, 0x95, 0xc9, 0xe5, - 0x1f, 0x73, 0xb5, 0x56, 0x9f, 0xab, 0xb5, 0xeb, 0x53, 0x07, 0x21, 0x73, 0x56, 0xf4, 0x7b, 0xd8, - 0xca, 0x99, 0xce, 0xe4, 0x03, 0x55, 0x13, 0x4c, 0xf2, 0x5c, 0x51, 0xad, 0x93, 0x35, 0x37, 0x41, - 0x3c, 0x0b, 0x1c, 0x79, 0x1c, 0xfd, 0x0e, 0xaf, 0x9e, 0xc8, 0x8a, 0xde, 0x2b, 0xaa, 0x0b, 0x9c, - 0x53, 0x4e, 0x26, 0x49, 0xfd, 0xb9, 0x0f, 0xd8, 0x99, 0x65, 0xa6, 0x3e, 0xf1, 0xd4, 0xe6, 0xa1, - 0x6f, 0x20, 0xfa, 0xc4, 0xca, 0x8f, 0x4c, 0xcc, 0x9a, 0xaf, 0xbb, 0xe6, 0x4d, 0x8f, 0x4e, 0x3b, - 0x1f, 0x43, 0x2b, 0x93, 0x42, 0xd0, 0xcc, 0x60, 0xc3, 0xc6, 0x54, 0x56, 0x26, 0xd9, 0x78, 0xae, - 0x63, 0x14, 0x32, 0x86, 0x3e, 0x01, 0xbd, 0x05, 0xa4, 0x0d, 0x31, 0x3a, 0xc7, 0x55, 0x5e, 0xce, - 0xda, 0x81, 0x9f, 0xd5, 0x47, 0x6e, 0xf3, 0x72, 0xda, 0xb1, 0x03, 0x71, 0x69, 0x95, 0x82, 0x49, - 0x3e, 0x66, 0x02, 0x97, 0x52, 0x99, 0xa4, 0xd1, 0xae, 0x75, 0x56, 0xd3, 0xc8, 0xe1, 0x47, 0x16, - 0xbe, 0x91, 0xca, 0xd8, 0x27, 0x24, 0x0f, 0x84, 0x71, 0x72, 0xc7, 0x38, 0x33, 0x13, 0xfc, 0x49, - 0x0a, 0x9a, 0x6c, 0xfa, 0xb2, 0xf3, 0x81, 0x0f, 0x52, 0x50, 0x94, 0xc3, 0xeb, 0x4c, 0x0a, 0xa3, - 0x24, 0xc7, 0x25, 0x27, 0x82, 0x62, 0x52, 0x99, 0x02, 0x97, 0x92, 0xb3, 0x6c, 0x92, 0x34, 0xdb, - 0xb5, 0x4e, 0x74, 0xf8, 0x5d, 0x77, 0x81, 0xb4, 0xbb, 0x47, 0x95, 0x29, 0xa8, 0x30, 0x2c, 0x73, - 0xc3, 0xdd, 0xb8, 0x84, 0x74, 0x37, 0xd4, 0xba, 0xb1, 0xa5, 0x2c, 0xc3, 0xe3, 0x76, 0xd4, 0xac, - 0xd2, 0x46, 0x8e, 0x71, 0x90, 0xf7, 0x3d, 0xe3, 0x34, 0x89, 0xfc, 0x37, 0xf9, 0x88, 0x77, 0xc0, - 0x39, 0xe3, 0xd4, 0x8e, 0x6a, 0xc7, 0xc7, 0x82, 0x8c, 0x29, 0xe6, 0x54, 0x8c, 0x4c, 0x91, 0xb4, - 0xfc, 0xa8, 0x16, 0xbf, 0x22, 0x63, 0xda, 0x77, 0x28, 0x6a, 0x3b, 0xbf, 0x64, 0x95, 0x52, 0x54, - 0x64, 0x93, 0x24, 0x76, 0xa4, 0x79, 0x68, 0xff, 0xaf, 0x3a, 0xc0, 0x25, 0xd5, 0x45, 0x30, 0xd8, - 0x5b, 0x40, 0x63, 0xf6, 0x48, 0x15, 0xce, 0x0a, 0x9a, 0x7d, 0xc4, 0xd6, 0x13, 0x54, 0x05, 0x9f, - 0xc5, 0x2e, 0x72, 0x62, 0x03, 0x03, 0x87, 0xa3, 0x2e, 0x6c, 0x7b, 0xb6, 0xa2, 0xf6, 0xbd, 0xa7, - 0x74, 0xef, 0xba, 0x2d, 0x17, 0x4a, 0x5d, 0x24, 0xf0, 0x0f, 0xc1, 0xaa, 0x8a, 0xdc, 0x71, 0x1a, - 0x5e, 0xd0, 0xb7, 0xd1, 0xce, 0x82, 0xeb, 0xe9, 0x76, 0x08, 0xfa, 0x47, 0x71, 0x8d, 0x34, 0x3a, - 0x80, 0x2d, 0xbf, 0x57, 0xce, 0xb4, 0xa1, 0x61, 0xb1, 0x2b, 0x6e, 0x90, 0x96, 0x0b, 0xf4, 0x1d, - 0xee, 0x36, 0xfb, 0x06, 0x3c, 0x84, 0x0b, 0x63, 0x4a, 0xcf, 0x5c, 0x75, 0xcc, 0xa6, 0x83, 0xdf, - 0x1b, 0x53, 0x3a, 0xde, 0x02, 0x75, 0xae, 0xfd, 0x5f, 0x75, 0x7e, 0x0d, 0x4d, 0x26, 0x46, 0x56, - 0x7a, 0x38, 0xe3, 0x44, 0x6b, 0xe7, 0xa8, 0x8d, 0x74, 0x33, 0x80, 0x27, 0x16, 0xb3, 0xd7, 0x66, - 0x4a, 0x0a, 0xe7, 0x25, 0xd8, 0x25, 0x0a, 0xf0, 0xc0, 0xa3, 0x68, 0x0c, 0xaf, 0x66, 0xd5, 0xbc, - 0x44, 0x38, 0x55, 0x78, 0x2c, 0x73, 0xea, 0x7c, 0x13, 0x1d, 0xfe, 0xb4, 0x50, 0x64, 0x4f, 0x9b, - 0xeb, 0x5e, 0x84, 0xbe, 0xb3, 0xec, 0x4b, 0x99, 0xd3, 0x74, 0x87, 0x2d, 0x82, 0xd1, 0x35, 0x34, - 0xe6, 0x75, 0x0c, 0xae, 0xc5, 0xc1, 0x73, 0x2d, 0x9e, 0x04, 0x7b, 0xbc, 0x94, 0xd4, 0x52, 0x20, - 0x4f, 0x02, 0x3e, 0x83, 0x2d, 0x95, 0xeb, 0xcf, 0x6e, 0x4c, 0xe3, 0xb9, 0x37, 0x6d, 0xa9, 0x5c, - 0x7f, 0x7e, 0x5d, 0xa8, 0x70, 0xfa, 0x30, 0x8a, 0x64, 0x4c, 0x8c, 0x9c, 0x2f, 0xd7, 0xd3, 0xa6, - 0x47, 0x87, 0x1e, 0xb4, 0x7b, 0x26, 0x59, 0x66, 0x1f, 0x8b, 0xcb, 0xe0, 0x95, 0xa6, 0xbf, 0x42, - 0x1e, 0xee, 0x4b, 0x6f, 0x94, 0xdf, 0x20, 0xca, 0xe9, 0x3d, 0xa9, 0xb8, 0x09, 0xbe, 0x72, 0x96, - 0x6a, 0x1c, 0xb6, 0x17, 0x4e, 0x3a, 0xf7, 0x47, 0x93, 0x36, 0x43, 0x5e, 0xb0, 0xc5, 0x8f, 0xb0, - 0x3b, 0x36, 0x5c, 0x63, 0xfa, 0x98, 0xf1, 0x2a, 0xa7, 0xf9, 0x74, 0x9b, 0x3a, 0x69, 0xb5, 0x97, - 0x3b, 0x1b, 0xe9, 0x4b, 0x1b, 0x3d, 0x0b, 0xc1, 0xb0, 0x53, 0x6d, 0x25, 0xe2, 0xed, 0x31, 0xbd, - 0x5d, 0xb1, 0x97, 0x88, 0x03, 0xc3, 0xdd, 0xda, 0xff, 0x19, 0x76, 0x16, 0xae, 0x0e, 0xd5, 0x61, - 0xf9, 0xfa, 0xfc, 0x3c, 0x7e, 0x81, 0x1a, 0x50, 0x3f, 0x3d, 0x3b, 0x3f, 0xba, 0xed, 0x0f, 0xe3, - 0x1a, 0x02, 0x58, 0x1b, 0x0c, 0xd3, 0x8b, 0x93, 0x61, 0xbc, 0xb4, 0xff, 0x06, 0x60, 0xee, 0x86, - 0xac, 0xc3, 0xca, 0xd5, 0xf5, 0xd5, 0x59, 0xfc, 0x02, 0x45, 0x00, 0x97, 0xb7, 0xc3, 0xdb, 0xa3, - 0x3e, 0x1e, 0xf6, 0x07, 0x71, 0xed, 0xe0, 0x17, 0x78, 0xb9, 0xe8, 0x1a, 0xfd, 0x77, 0x06, 0xda, - 0x84, 0xfa, 0xc5, 0xd5, 0xfb, 0xb3, 0xf4, 0x62, 0x18, 0xff, 0x5d, 0x3f, 0xfe, 0xe2, 0xc3, 0x9e, - 0x7f, 0x2f, 0x26, 0x7b, 0xa4, 0x64, 0xbd, 0x7f, 0xfd, 0xcb, 0xdf, 0xad, 0xb9, 0xbd, 0xfe, 0xf0, - 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xde, 0xe8, 0x6d, 0xe0, 0xfd, 0x07, 0x00, 0x00, + // 1043 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x56, 0x5b, 0x4f, 0x23, 0x47, + 0x13, 0x5d, 0x73, 0x33, 0x94, 0xf1, 0x85, 0x66, 0x61, 0x67, 0xd1, 0xf7, 0x25, 0x96, 0xa3, 0x6c, + 0x1c, 0xb2, 0xb2, 0xb5, 0x24, 0x91, 0x92, 0x97, 0x28, 0x60, 0x4c, 0x16, 0xc9, 0x5c, 0x32, 0x36, + 0x2f, 0xfb, 0xd2, 0x6a, 0x66, 0x1a, 0x4f, 0x6b, 0x7b, 0xa6, 0x47, 0xdd, 0x3d, 0x04, 0xef, 0x3f, + 0xc9, 0x3f, 0xcc, 0x4b, 0xfe, 0x43, 0xd4, 0x97, 0x31, 0xde, 0x95, 0x23, 0xb2, 0x8f, 0x9c, 0x3a, + 0x55, 0x35, 0x55, 0x7d, 0x4e, 0x61, 0x38, 0x48, 0xa9, 0x4a, 0xfa, 0xf7, 0x6f, 0x08, 0xcf, 0x13, + 0xf2, 0xa6, 0x1f, 0x89, 0xec, 0x8e, 0x4d, 0x7b, 0xb9, 0x14, 0x5a, 0xa0, 0x5d, 0xa6, 0x34, 0x13, + 0x3d, 0xc3, 0xe8, 0x95, 0x8c, 0x83, 0x2f, 0xa6, 0x42, 0x4c, 0x39, 0xed, 0x5b, 0xca, 0x6d, 0x71, + 0xd7, 0x8f, 0x0b, 0x49, 0x34, 0x13, 0x99, 0x4b, 0xea, 0x5c, 0x40, 0x7d, 0x4c, 0xe5, 0x3d, 0x95, + 0xc7, 0x71, 0x2c, 0xa9, 0x52, 0xe8, 0xff, 0x00, 0x69, 0xa1, 0x0b, 0xc2, 0xb1, 0xe6, 0x2a, 0xa8, + 0xb4, 0x2b, 0xdd, 0xad, 0x70, 0xcb, 0x21, 0x13, 0x6e, 0xc3, 0x39, 0x27, 0x2c, 0xc3, 0x9a, 0x3e, + 0xe8, 0x60, 0xc5, 0x85, 0x2d, 0x32, 0xa1, 0x0f, 0xba, 0xf3, 0x67, 0x15, 0x6a, 0xd7, 0x52, 0x3c, + 0xcc, 0x06, 0xf6, 0xcb, 0xd0, 0x97, 0x50, 0x73, 0xdf, 0x88, 0x73, 0xa2, 0x13, 0x5f, 0x0e, 0x1c, + 0x74, 0x4d, 0x74, 0x62, 0x08, 0xb7, 0x2c, 0x23, 0x72, 0xe6, 0x08, 0xae, 0x20, 0x38, 0xc8, 0x12, + 0xbe, 0x81, 0xa6, 0xa2, 0xf2, 0x9e, 0x45, 0x14, 0x47, 0xbc, 0x50, 0x9a, 0xca, 0x60, 0xd5, 0x92, + 0x1a, 0x1e, 0x1e, 0x38, 0x14, 0xfd, 0x0a, 0x8d, 0x58, 0x9a, 0x2f, 0x2b, 0x27, 0x0c, 0xd6, 0xda, + 0x95, 0x6e, 0xed, 0xe8, 0x65, 0xcf, 0xad, 0xa0, 0x57, 0xae, 0xa0, 0x77, 0xea, 0x09, 0x61, 0xdd, + 0x26, 0x94, 0x7f, 0xa2, 0x31, 0x04, 0x39, 0x91, 0x34, 0xd3, 0x58, 0x25, 0x85, 0x8e, 0xc5, 0x1f, + 0x0b, 0xb5, 0xd6, 0x9f, 0xaa, 0xb5, 0xef, 0x52, 0xc7, 0x3e, 0x73, 0x5e, 0xf4, 0x3b, 0xd8, 0x89, + 0x99, 0x8a, 0xc4, 0x3d, 0x95, 0x33, 0x4c, 0xdc, 0x92, 0x83, 0x0d, 0x3b, 0x41, 0x6b, 0x1e, 0x28, + 0x97, 0xff, 0x3b, 0xbc, 0x78, 0x24, 0x4b, 0x7a, 0x27, 0xa9, 0x4a, 0x70, 0x4c, 0x39, 0x99, 0x05, + 0xd5, 0xa7, 0x3e, 0x60, 0x6f, 0x9e, 0x19, 0xba, 0xc4, 0x53, 0x93, 0x87, 0xbe, 0x86, 0xc6, 0x07, + 0x96, 0xbf, 0x67, 0xd9, 0xbc, 0xf9, 0xa6, 0x6d, 0x5e, 0x77, 0x68, 0xd9, 0xf9, 0x04, 0x9a, 0x91, + 0xc8, 0x32, 0x1a, 0x69, 0xac, 0x59, 0x4a, 0x45, 0xa1, 0x83, 0xad, 0xa7, 0x3a, 0x36, 0x7c, 0xc6, + 0xc4, 0x25, 0xa0, 0xd7, 0x80, 0x94, 0x26, 0x5a, 0xc5, 0xb8, 0x88, 0xf3, 0x79, 0x3b, 0x70, 0xb3, + 0xba, 0xc8, 0x4d, 0x9c, 0x97, 0x1d, 0xbb, 0xd0, 0xca, 0x8d, 0x52, 0x30, 0x89, 0x53, 0x96, 0xe1, + 0x5c, 0x48, 0x1d, 0xd4, 0xda, 0x95, 0xee, 0x7a, 0xd8, 0xb0, 0xf8, 0xb1, 0x81, 0xaf, 0x85, 0xd4, + 0x66, 0x85, 0xe4, 0x9e, 0x30, 0x4e, 0x6e, 0x19, 0x67, 0x7a, 0x86, 0x3f, 0x88, 0x8c, 0x06, 0xdb, + 0xae, 0xec, 0x62, 0xe0, 0x9d, 0xc8, 0x28, 0x8a, 0xe1, 0x65, 0x24, 0x32, 0x2d, 0x05, 0xc7, 0x39, + 0x27, 0x19, 0xc5, 0xa4, 0xd0, 0x09, 0xce, 0x05, 0x67, 0xd1, 0x2c, 0xa8, 0xb7, 0x2b, 0xdd, 0xc6, + 0xd1, 0xb7, 0xbd, 0x25, 0x4e, 0xe9, 0x1d, 0x17, 0x3a, 0xa1, 0x99, 0x66, 0x91, 0x1d, 0xee, 0xda, + 0x26, 0x84, 0xfb, 0xbe, 0xd6, 0xb5, 0x29, 0x65, 0x18, 0x0e, 0x37, 0xa3, 0x46, 0x85, 0xd2, 0x22, + 0xc5, 0x5e, 0xde, 0x77, 0x8c, 0xd3, 0xa0, 0xe1, 0xbe, 0xc9, 0x45, 0x9c, 0x03, 0xce, 0x18, 0xa7, + 0x66, 0x54, 0x33, 0x3e, 0xce, 0x48, 0x4a, 0x31, 0xa7, 0xd9, 0x54, 0x27, 0x41, 0xd3, 0x8d, 0x6a, + 0xf0, 0x4b, 0x92, 0xd2, 0x91, 0x45, 0x51, 0xdb, 0xfa, 0x25, 0x2a, 0xa4, 0xa4, 0x59, 0x34, 0x0b, + 0x5a, 0x96, 0xb4, 0x08, 0xa1, 0x9f, 0x60, 0x3d, 0x67, 0x5c, 0xe8, 0x60, 0xc7, 0x3e, 0x4f, 0x67, + 0xe9, 0x2c, 0x1f, 0x59, 0x3a, 0x74, 0x09, 0x9d, 0xbf, 0x37, 0x01, 0x2e, 0xa8, 0x4a, 0xbc, 0x35, + 0x5f, 0x03, 0x4a, 0xd9, 0x03, 0x95, 0x38, 0x4a, 0x68, 0xf4, 0x1e, 0x2b, 0x9b, 0xe2, 0x1d, 0xda, + 0xb2, 0x91, 0x81, 0x09, 0xb8, 0x52, 0xa8, 0x07, 0xbb, 0x8e, 0x2d, 0xa9, 0x79, 0xa9, 0x92, 0xee, + 0xfc, 0xba, 0x63, 0x43, 0xa1, 0x8d, 0x78, 0xfe, 0x11, 0x18, 0x3d, 0x92, 0x5b, 0x4e, 0xfd, 0xee, + 0x5d, 0x1b, 0x65, 0xcd, 0xbb, 0x19, 0xee, 0xfa, 0xa0, 0x5b, 0xa7, 0x6d, 0xa4, 0xd0, 0x21, 0xec, + 0x38, 0x45, 0x70, 0xa6, 0x34, 0xf5, 0x92, 0x58, 0xb3, 0x2b, 0x68, 0xda, 0xc0, 0xc8, 0xe2, 0x56, + 0x13, 0xaf, 0xc0, 0x41, 0x38, 0xd1, 0x3a, 0x77, 0xcc, 0x75, 0xcb, 0xac, 0x5b, 0xf8, 0xad, 0xd6, + 0xb9, 0xe5, 0x2d, 0xd1, 0xf5, 0xc6, 0xe7, 0xea, 0xfa, 0x2b, 0xa8, 0xb3, 0x6c, 0x6a, 0x56, 0x89, + 0x23, 0x4e, 0x94, 0xb2, 0x5e, 0xdc, 0x0a, 0xb7, 0x3d, 0x38, 0x30, 0x98, 0xb9, 0x53, 0x25, 0xc9, + 0x1f, 0x26, 0x6f, 0xb4, 0x86, 0x87, 0xc7, 0x0e, 0x45, 0x29, 0xbc, 0x98, 0x57, 0x73, 0xe2, 0xe2, + 0x54, 0xe2, 0x54, 0xc4, 0xd4, 0x3a, 0xae, 0x71, 0xf4, 0xe3, 0xd2, 0x27, 0x7d, 0x7c, 0xb9, 0xde, + 0xb9, 0xef, 0x3b, 0xcf, 0xbe, 0x10, 0x31, 0x0d, 0xf7, 0xd8, 0x32, 0x18, 0x5d, 0x41, 0x6d, 0xd1, + 0x01, 0x60, 0x5b, 0x1c, 0x3e, 0xd5, 0xe2, 0x51, 0xea, 0x27, 0x2b, 0x41, 0x25, 0x04, 0xf2, 0x28, + 0xfd, 0x21, 0xec, 0xc8, 0x58, 0x7d, 0x72, 0x9d, 0x6a, 0x4f, 0xed, 0xb4, 0x29, 0x63, 0xf5, 0xe9, + 0x5d, 0xa2, 0x99, 0xd5, 0x87, 0x96, 0x24, 0x62, 0xd9, 0xd4, 0x3a, 0x7a, 0x33, 0xac, 0x3b, 0x74, + 0xe2, 0x40, 0xf3, 0xce, 0x24, 0x8a, 0xcc, 0xb2, 0xb8, 0xf0, 0x2e, 0xab, 0xbb, 0xfb, 0xe5, 0xe0, + 0x91, 0x70, 0x16, 0xfb, 0x0d, 0x1a, 0x31, 0xbd, 0x23, 0x05, 0xd7, 0xde, 0x91, 0xd6, 0x8c, 0xb5, + 0xa3, 0xf6, 0xd2, 0x49, 0x17, 0xfe, 0x45, 0x85, 0x75, 0x9f, 0xe7, 0x6d, 0xf1, 0x03, 0xec, 0xa7, + 0x9a, 0x2b, 0x4c, 0x1f, 0x22, 0x5e, 0xc4, 0x34, 0x2e, 0x5f, 0x53, 0x05, 0xcd, 0xf6, 0x6a, 0x77, + 0x2b, 0x7c, 0x6e, 0xa2, 0x43, 0x1f, 0xf4, 0x6f, 0xaa, 0x8c, 0x44, 0x9c, 0x3d, 0xca, 0xab, 0xd7, + 0x72, 0x12, 0xb1, 0x60, 0x79, 0xf1, 0x06, 0x50, 0x5b, 0x70, 0xdc, 0x67, 0x18, 0x18, 0x1e, 0xed, + 0x88, 0x86, 0xb0, 0xbd, 0x68, 0xc4, 0x00, 0xfd, 0xe7, 0x2a, 0xb5, 0x05, 0x97, 0x76, 0x7e, 0x86, + 0xbd, 0xa5, 0x32, 0x42, 0x55, 0x58, 0xbd, 0x3a, 0x3b, 0x6b, 0x3d, 0x43, 0x35, 0xa8, 0x9e, 0x0e, + 0xcf, 0x8e, 0x6f, 0x46, 0x93, 0x56, 0x05, 0x01, 0x6c, 0x8c, 0x27, 0xe1, 0xf9, 0x60, 0xd2, 0x5a, + 0xe9, 0xbc, 0x02, 0x58, 0xb8, 0x84, 0x9b, 0xb0, 0x76, 0x79, 0x75, 0x39, 0x6c, 0x3d, 0x43, 0x0d, + 0x80, 0x8b, 0x9b, 0xc9, 0xcd, 0xf1, 0x08, 0x4f, 0x46, 0xe3, 0x56, 0xe5, 0xf0, 0x17, 0x78, 0xbe, + 0xec, 0xa6, 0xfe, 0x7b, 0x06, 0xda, 0x86, 0xea, 0xf9, 0xe5, 0xdb, 0x61, 0x78, 0x3e, 0x69, 0xfd, + 0x55, 0x3d, 0xf9, 0xdf, 0xbb, 0x03, 0x37, 0x14, 0x13, 0x7d, 0x92, 0xb3, 0xfe, 0x47, 0x3f, 0x7d, + 0x6e, 0x37, 0xac, 0xc6, 0xbe, 0xff, 0x27, 0x00, 0x00, 0xff, 0xff, 0x74, 0xbd, 0x2a, 0x4d, 0x12, + 0x09, 0x00, 0x00, } diff --git a/mesh/v1alpha1/config.proto b/mesh/v1alpha1/config.proto index 8dc99f665dc..99723cb2aeb 100644 --- a/mesh/v1alpha1/config.proto +++ b/mesh/v1alpha1/config.proto @@ -41,6 +41,16 @@ enum AuthenticationPolicy { INHERIT = 1000; } +// ServerAddress specifies the address of Istio components like mixer, pilot, etc. +// At least one of the field needs to be specified. +message ServerAddress { + // The address for mTLS server, e.g., (_istio-pilot:15003_) + string mutual_tls = 1; + + // The address for plain text server, e.g., (_istio-pilot:15005_) + string plain_text = 2; +} + // ProxyConfig defines variables for individual Envoy instances. message ProxyConfig { // Path to the generated configuration file directory. @@ -74,7 +84,7 @@ message ProxyConfig { // MUST BE greater than _drain_duration_ parameter. google.protobuf.Duration parent_shutdown_duration = 5; - // Address of the discovery service exposing xDS (e.g. _istio-pilot:8080_). + // Deprecated, use server_address instead. string discovery_address = 6; // Polling interval for service discovery (used by EDS, CDS, LDS, but not RDS). (MUST BE >=1ms) @@ -112,27 +122,18 @@ message ProxyConfig { // The number of worker threads to run. Default value is number of cores on the machine. int32 concurrency = 16; + + // Address of the discovery service exposing xDS. + ServerAddress pilot = 17; } // MeshConfig defines mesh-wide variables shared by all Envoy instances in the // Istio service mesh. message MeshConfig { - // Address of the server that will be used by the proxies for policy - // check calls (e.g. _istio-mixer:15004_). By using different names for - // mixerCheckServer and mixerReportServer, it is possible to have one set - // of mixer servers handle policy check calls, while another set of mixer - // servers handle telemetry calls. - // - // NOTE: Omitting mixerCheckServer while specifying mixerReportServer is - // equivalent to setting disablePolicyChecks to true. + // Deprecated, use mixer_check instead. string mixer_check_server = 1; - // Address of the server that will be used by the proxies as an Istio - // telemetry sink (access logs, API/connection metrics) - // (e.g. _istio-mixer:15004_). By using different names for - // mixerCheckServer and mixerReportServer, it is possible to have one set - // of mixer servers handle policy check calls, while another set of mixer - // servers handle telemetry calls. + // Deprecated, use mixer_report instead. string mixer_report_server = 2; // Disable policy checks by the mixer service. Default @@ -220,6 +221,19 @@ message MeshConfig { repeated string mtls_excluded_services = 15; // DEPRECATED. Mixer address. This option will be removed soon. Please - // use mixer_check_server and mixer_report_server. + // use mixer_check and mixer_report. string mixer_address = 16; + + // Address of the server that will be used by the proxies for policy + // check calls. By using different names for mixerCheck and mixerReport, it + // is possible to have one set of mixer servers handle policy check calls, + // while another set of mixer servers handle telemetry calls. + // + // NOTE: Omitting mixerCheck while specifying mixerReport is + // equivalent to setting disablePolicyChecks to true. + ServerAddress mixer_check = 17; + + // Address of the server that will be used by the proxies for policy report + // calls. + ServerAddress mixer_report = 18; } diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index f6d80d17f8c..62d75e83136 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -4,7 +4,7 @@ location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html layout: protoc-gen-docs redirect_from: /docs/reference/config/service-mesh.html -number_of_entries: 5 +number_of_entries: 6 ---

AuthenticationPolicy

@@ -64,14 +64,7 @@

MeshConfig

mixerCheckServer string -

Address of the server that will be used by the proxies for policy -check calls (e.g. istio-mixer:15004). By using different names for -mixerCheckServer and mixerReportServer, it is possible to have one set -of mixer servers handle policy check calls, while another set of mixer -servers handle telemetry calls.

- -

NOTE: Omitting mixerCheckServer while specifying mixerReportServer is -equivalent to setting disablePolicyChecks to true.

+

Deprecated, use mixer_check instead.

@@ -79,12 +72,7 @@

MeshConfig

mixerReportServer string -

Address of the server that will be used by the proxies as an Istio -telemetry sink (access logs, API/connection metrics) -(e.g. istio-mixer:15004). By using different names for -mixerCheckServer and mixerReportServer, it is possible to have one set -of mixer servers handle policy check calls, while another set of mixer -servers handle telemetry calls.

+

Deprecated, use mixer_report instead.

@@ -214,7 +202,30 @@

MeshConfig

string

DEPRECATED. Mixer address. This option will be removed soon. Please -use mixercheckserver and mixerreportserver.

+use mixercheck and mixerreport.

+ + + + +mixerCheck +ServerAddress + +

Address of the server that will be used by the proxies for policy +check calls. By using different names for mixerCheck and mixerReport, it +is possible to have one set of mixer servers handle policy check calls, +while another set of mixer servers handle telemetry calls.

+ +

NOTE: Omitting mixerCheck while specifying mixerReport is +equivalent to setting disablePolicyChecks to true.

+ + + + +mixerReport +ServerAddress + +

Address of the server that will be used by the proxies for policy report +calls.

@@ -365,7 +376,7 @@

ProxyConfig

discoveryAddress string -

Address of the discovery service exposing xDS (e.g. istio-pilot:8080).

+

Deprecated, use server_address instead.

@@ -455,6 +466,47 @@

ProxyConfig

The number of worker threads to run. Default value is number of cores on the machine.

+ + + +pilot +ServerAddress + +

Address of the discovery service exposing xDS.

+ + + + + +
+

ServerAddress

+
+

ServerAddress specifies the address of Istio components like mixer, pilot, etc. +At least one of the field needs to be specified.

+ + + + + + + + + + + + + + + + + + + From 2387487ade38b28ad5301e0d7f8666c678e38f3a Mon Sep 17 00:00:00 2001 From: Frank Budinsky Date: Tue, 13 Feb 2018 14:34:26 -0500 Subject: [PATCH 14/15] Doc clarifications (#365) * Doc clarifications * regenerate go files --- routing/v1alpha2/gateway.pb.go | 16 +++++++++------- routing/v1alpha2/gateway.proto | 16 +++++++++------- .../v1alpha2/istio.routing.v1alpha2.pb.html | 18 ++++++++++-------- 3 files changed, 28 insertions(+), 22 deletions(-) diff --git a/routing/v1alpha2/gateway.pb.go b/routing/v1alpha2/gateway.pb.go index 0e2de3d8c2c..70efa59cf6a 100644 --- a/routing/v1alpha2/gateway.pb.go +++ b/routing/v1alpha2/gateway.pb.go @@ -55,7 +55,7 @@ func (Server_TLSOptions_TLSmode) EnumDescriptor() ([]byte, []int) { // For example, the following gateway spec sets up a proxy to act as a load // balancer exposing port 80 and 9080 (http), 443 (https), and port 2379 // (TCP) for ingress. The gateway will be applied to the proxy running on -// a pod with labels "podRole: gateway-pod". While Istio will configure the +// a pod with labels "app: my-gateway-controller". While Istio will configure the // proxy to listen on these ports, it is the responsibility of the user to // ensure that external traffic to these ports are allowed into the mesh. // @@ -65,7 +65,7 @@ func (Server_TLSOptions_TLSmode) EnumDescriptor() ([]byte, []int) { // name: my-gateway // spec: // selector: -// - podRole: gatweway-pod +// - app: my-gatweway-controller // servers: // - port: // number: 80 @@ -170,8 +170,10 @@ func (Server_TLSOptions_TLSmode) EnumDescriptor() ([]byte, []int) { type Gateway struct { // REQUIRED: A list of server specifications. Servers []*Server `protobuf:"bytes,1,rep,name=servers" json:"servers,omitempty"` - // REQUIRED: One or more labels that indicate a specific set of pods/VMs + // One or more labels that indicate a specific set of pods/VMs // on which this gateway configuration should be applied. + // If no selectors are provided, the gateway will be implemented by + // the default istio-ingress controller. Selector map[string]string `protobuf:"bytes,2,rep,name=selector" json:"selector,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` } @@ -203,7 +205,7 @@ func (m *Gateway) GetSelector() map[string]string { // name: my-ingress // spec: // selector: -// - podRole: ingress-gateway +// - app: my-ingress-controller // servers: // - port: // number: 80 @@ -217,7 +219,7 @@ func (m *Gateway) GetSelector() map[string]string { // name: my-tcp-ingress // spec: // selector: -// - podRole: tcp-ingress-pod +// - app: my-tcp-ingress-controller // servers: // - port: // number: 27018 @@ -228,10 +230,10 @@ func (m *Gateway) GetSelector() map[string]string { // apiVersion: config.istio.io/v1alpha2 // kind: Gateway // metadata: -// name: my-ingress +// name: my-tls-ingress // spec: // selector: -// - podRole: ingress-tls +// - app: my-tls-ingress-controller // servers: // - port: // number: 443 diff --git a/routing/v1alpha2/gateway.proto b/routing/v1alpha2/gateway.proto index 49fc7653064..fcbf78c585e 100644 --- a/routing/v1alpha2/gateway.proto +++ b/routing/v1alpha2/gateway.proto @@ -29,7 +29,7 @@ option go_package = "istio.io/api/routing/v1alpha2"; // For example, the following gateway spec sets up a proxy to act as a load // balancer exposing port 80 and 9080 (http), 443 (https), and port 2379 // (TCP) for ingress. The gateway will be applied to the proxy running on -// a pod with labels "podRole: gateway-pod". While Istio will configure the +// a pod with labels "app: my-gateway-controller". While Istio will configure the // proxy to listen on these ports, it is the responsibility of the user to // ensure that external traffic to these ports are allowed into the mesh. // @@ -39,7 +39,7 @@ option go_package = "istio.io/api/routing/v1alpha2"; // name: my-gateway // spec: // selector: -// - podRole: gatweway-pod +// - app: my-gatweway-controller // servers: // - port: // number: 80 @@ -145,8 +145,10 @@ message Gateway { // REQUIRED: A list of server specifications. repeated Server servers = 1; - // REQUIRED: One or more labels that indicate a specific set of pods/VMs + // One or more labels that indicate a specific set of pods/VMs // on which this gateway configuration should be applied. + // If no selectors are provided, the gateway will be implemented by + // the default istio-ingress controller. map selector = 2; } @@ -159,7 +161,7 @@ message Gateway { // name: my-ingress // spec: // selector: -// - podRole: ingress-gateway +// - app: my-ingress-controller // servers: // - port: // number: 80 @@ -173,7 +175,7 @@ message Gateway { // name: my-tcp-ingress // spec: // selector: -// - podRole: tcp-ingress-pod +// - app: my-tcp-ingress-controller // servers: // - port: // number: 27018 @@ -184,10 +186,10 @@ message Gateway { // apiVersion: config.istio.io/v1alpha2 // kind: Gateway // metadata: -// name: my-ingress +// name: my-tls-ingress // spec: // selector: -// - podRole: ingress-tls +// - app: my-tls-ingress-controller // servers: // - port: // number: 443 diff --git a/routing/v1alpha2/istio.routing.v1alpha2.pb.html b/routing/v1alpha2/istio.routing.v1alpha2.pb.html index ebbe08fc77a..10f635ae891 100644 --- a/routing/v1alpha2/istio.routing.v1alpha2.pb.html +++ b/routing/v1alpha2/istio.routing.v1alpha2.pb.html @@ -933,7 +933,7 @@

Gateway

For example, the following gateway spec sets up a proxy to act as a load balancer exposing port 80 and 9080 (http), 443 (https), and port 2379 (TCP) for ingress. The gateway will be applied to the proxy running on -a pod with labels “podRole: gateway-pod”. While Istio will configure the +a pod with labels “app: my-gateway-controller”. While Istio will configure the proxy to listen on these ports, it is the responsibility of the user to ensure that external traffic to these ports are allowed into the mesh.

@@ -943,7 +943,7 @@

Gateway

name: my-gateway spec: selector: - - podRole: gatweway-pod + - app: my-gatweway-controller servers: - port: number: 80 @@ -1069,8 +1069,10 @@

Gateway

 @@ -2281,7 +2283,7 @@

Server

name: my-ingress spec: selector: - - podRole: ingress-gateway + - app: my-ingress-controller servers: - port: number: 80 @@ -2296,7 +2298,7 @@

Server

name: my-tcp-ingress spec: selector: - - podRole: tcp-ingress-pod + - app: my-tcp-ingress-controller servers: - port: number: 27018 @@ -2308,10 +2310,10 @@

Server

apiVersion: config.istio.io/v1alpha2
 kind: Gateway
 metadata:
-  name: my-ingress
+  name: my-tls-ingress
 spec:
   selector:
-  - podRole: ingress-tls
+  - app: my-tls-ingress-controller
   servers:
   - port:
       number: 443

From 0fb102fd2693a06287121ea3dd7677a2005887be Mon Sep 17 00:00:00 2001
From: Jason Young 
Date: Tue, 13 Feb 2018 16:21:47 -0800
Subject: [PATCH 15/15] add apis dependency to `generate` and `clean-generated`
 targets

---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 98be2036c43..312d68a1b12 100644
--- a/Makefile
+++ b/Makefile
@@ -145,7 +145,7 @@ depend: vendor binaries
 # Generation Rules
 #####################
 
-generate: generate-broker-go generate-mesh-go generate-mixer-go generate-routing-go generate-rbac-go generate-authn-go
+generate: generate-broker-go generate-mesh-go generate-mixer-go generate-routing-go generate-rbac-go generate-authn-go generate-apis-go
 
 #####################
 # broker/...
@@ -350,4 +350,4 @@ clean:
 	rm -rf genbin
 	rm -rf vendor
 
-clean-generated: clean-broker-generated clean-mesh-generated clean-mixer-generated clean-routing-generated clean-rbac-generated clean-authn-generated
+clean-generated: clean-broker-generated clean-mesh-generated clean-mixer-generated clean-routing-generated clean-rbac-generated clean-authn-generated clean-apis-generated
FieldTypeDescription
mutualTlsstring +

The address for mTLS server, e.g., (istio-pilot:15003)

+ +
plainTextstring +

The address for plain text server, e.g., (istio-pilot:15005)

+
selector map<string,string> -

REQUIRED: One or more labels that indicate a specific set of pods/VMs -on which this gateway configuration should be applied.

+

One or more labels that indicate a specific set of pods/VMs +on which this gateway configuration should be applied. +If no selectors are provided, the gateway will be implemented by +the default istio-ingress controller.