From f34cee047e7eb2b093e5fbe27670da4d9feeb4da Mon Sep 17 00:00:00 2001 From: John Howard Date: Wed, 27 Nov 2024 10:43:19 -0800 Subject: [PATCH 1/2] Remove legacy `Policy` type This has not been used for many many years --- .../istio.authentication.v1alpha1.pb.html | 9 - authentication/v1alpha1/policy.pb.go | 1326 ----------------- authentication/v1alpha1/policy.proto | 432 ------ .../v1alpha1/policy_deepcopy.gen.go | 195 --- authentication/v1alpha1/policy_json.gen.go | 111 -- 5 files changed, 2073 deletions(-) delete mode 100644 authentication/v1alpha1/istio.authentication.v1alpha1.pb.html delete mode 100644 authentication/v1alpha1/policy.pb.go delete mode 100644 authentication/v1alpha1/policy.proto delete mode 100644 authentication/v1alpha1/policy_deepcopy.gen.go delete mode 100644 authentication/v1alpha1/policy_json.gen.go diff --git a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html deleted file mode 100644 index 9c82753cf8d..00000000000 --- a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: istio.authentication.v1alpha1 -layout: protoc-gen-docs -generator: protoc-gen-docs -schema: istio.authentication.v1alpha1.Policy -number_of_entries: 0 ---- -

This package defines user-facing authentication policy.

- diff --git a/authentication/v1alpha1/policy.pb.go b/authentication/v1alpha1/policy.pb.go deleted file mode 100644 index 63409648f4c..00000000000 --- a/authentication/v1alpha1/policy.pb.go +++ /dev/null @@ -1,1326 +0,0 @@ -// Copyright 2018 Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.35.2 -// protoc (unknown) -// source: authentication/v1alpha1/policy.proto - -// $schema: istio.authentication.v1alpha1.Policy -// $mode: package - -// This package defines user-facing authentication policy. - -package v1alpha1 - -import ( - _ "google.golang.org/genproto/googleapis/api/annotations" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -// $hide_from_docs -// Deprecated. When using security/v1beta1/RequestAuthentication, the request principal always -// comes from request authentication (i.e JWT). -// Associates authentication with request principal. -type PrincipalBinding int32 - -const ( - // Principal will be set to the identity from peer authentication. - PrincipalBinding_USE_PEER PrincipalBinding = 0 - // Principal will be set to the identity from origin authentication. - PrincipalBinding_USE_ORIGIN PrincipalBinding = 1 -) - -// Enum value maps for PrincipalBinding. -var ( - PrincipalBinding_name = map[int32]string{ - 0: "USE_PEER", - 1: "USE_ORIGIN", - } - PrincipalBinding_value = map[string]int32{ - "USE_PEER": 0, - "USE_ORIGIN": 1, - } -) - -func (x PrincipalBinding) Enum() *PrincipalBinding { - p := new(PrincipalBinding) - *p = x - return p -} - -func (x PrincipalBinding) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (PrincipalBinding) Descriptor() protoreflect.EnumDescriptor { - return file_authentication_v1alpha1_policy_proto_enumTypes[0].Descriptor() -} - -func (PrincipalBinding) Type() protoreflect.EnumType { - return &file_authentication_v1alpha1_policy_proto_enumTypes[0] -} - -func (x PrincipalBinding) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use PrincipalBinding.Descriptor instead. -func (PrincipalBinding) EnumDescriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{0} -} - -// $hide_from_docs -// Defines the acceptable connection TLS mode. -type MutualTls_Mode int32 - -const ( - // Client cert must be presented, connection is in TLS. - MutualTls_STRICT MutualTls_Mode = 0 - // Connection can be either plaintext or TLS with Client cert. - MutualTls_PERMISSIVE MutualTls_Mode = 1 -) - -// Enum value maps for MutualTls_Mode. -var ( - MutualTls_Mode_name = map[int32]string{ - 0: "STRICT", - 1: "PERMISSIVE", - } - MutualTls_Mode_value = map[string]int32{ - "STRICT": 0, - "PERMISSIVE": 1, - } -) - -func (x MutualTls_Mode) Enum() *MutualTls_Mode { - p := new(MutualTls_Mode) - *p = x - return p -} - -func (x MutualTls_Mode) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (MutualTls_Mode) Descriptor() protoreflect.EnumDescriptor { - return file_authentication_v1alpha1_policy_proto_enumTypes[1].Descriptor() -} - -func (MutualTls_Mode) Type() protoreflect.EnumType { - return &file_authentication_v1alpha1_policy_proto_enumTypes[1] -} - -func (x MutualTls_Mode) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use MutualTls_Mode.Descriptor instead. -func (MutualTls_Mode) EnumDescriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{1, 0} -} - -// $hide_from_docs -// Describes how to match a given string. Match is case-sensitive. -type StringMatch struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Types that are assignable to MatchType: - // - // *StringMatch_Exact - // *StringMatch_Prefix - // *StringMatch_Suffix - // *StringMatch_Regex - MatchType isStringMatch_MatchType `protobuf_oneof:"match_type"` -} - -func (x *StringMatch) Reset() { - *x = StringMatch{} - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *StringMatch) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*StringMatch) ProtoMessage() {} - -func (x *StringMatch) ProtoReflect() protoreflect.Message { - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[0] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use StringMatch.ProtoReflect.Descriptor instead. -func (*StringMatch) Descriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{0} -} - -func (m *StringMatch) GetMatchType() isStringMatch_MatchType { - if m != nil { - return m.MatchType - } - return nil -} - -func (x *StringMatch) GetExact() string { - if x, ok := x.GetMatchType().(*StringMatch_Exact); ok { - return x.Exact - } - return "" -} - -func (x *StringMatch) GetPrefix() string { - if x, ok := x.GetMatchType().(*StringMatch_Prefix); ok { - return x.Prefix - } - return "" -} - -func (x *StringMatch) GetSuffix() string { - if x, ok := x.GetMatchType().(*StringMatch_Suffix); ok { - return x.Suffix - } - return "" -} - -func (x *StringMatch) GetRegex() string { - if x, ok := x.GetMatchType().(*StringMatch_Regex); ok { - return x.Regex - } - return "" -} - -type isStringMatch_MatchType interface { - isStringMatch_MatchType() -} - -type StringMatch_Exact struct { - // exact string match. - Exact string `protobuf:"bytes,1,opt,name=exact,proto3,oneof"` -} - -type StringMatch_Prefix struct { - // prefix-based match. - Prefix string `protobuf:"bytes,2,opt,name=prefix,proto3,oneof"` -} - -type StringMatch_Suffix struct { - // suffix-based match. - Suffix string `protobuf:"bytes,3,opt,name=suffix,proto3,oneof"` -} - -type StringMatch_Regex struct { - // RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - Regex string `protobuf:"bytes,4,opt,name=regex,proto3,oneof"` -} - -func (*StringMatch_Exact) isStringMatch_MatchType() {} - -func (*StringMatch_Prefix) isStringMatch_MatchType() {} - -func (*StringMatch_Suffix) isStringMatch_MatchType() {} - -func (*StringMatch_Regex) isStringMatch_MatchType() {} - -// $hide_from_docs -// Deprecated. Please use security/v1beta1/PeerAuthentication instead. -// TLS authentication params. -type MutualTls struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Deprecated. Please use mode = PERMISSIVE instead. - // If set, will translate to `TLS_PERMISSIVE` mode. - // Set this flag to true to allow regular TLS (i.e without client x509 - // certificate). If request carries client certificate, identity will be - // extracted and used (set to peer identity). Otherwise, peer identity will - // be left unset. - // When the flag is false (default), request must have client certificate. - // - // Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. - AllowTls bool `protobuf:"varint,1,opt,name=allow_tls,json=allowTls,proto3" json:"allow_tls,omitempty"` - // Defines the mode of mTLS authentication. - Mode MutualTls_Mode `protobuf:"varint,2,opt,name=mode,proto3,enum=istio.authentication.v1alpha1.MutualTls_Mode" json:"mode,omitempty"` -} - -func (x *MutualTls) Reset() { - *x = MutualTls{} - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *MutualTls) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*MutualTls) ProtoMessage() {} - -func (x *MutualTls) ProtoReflect() protoreflect.Message { - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[1] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use MutualTls.ProtoReflect.Descriptor instead. -func (*MutualTls) Descriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{1} -} - -// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. -func (x *MutualTls) GetAllowTls() bool { - if x != nil { - return x.AllowTls - } - return false -} - -func (x *MutualTls) GetMode() MutualTls_Mode { - if x != nil { - return x.Mode - } - return MutualTls_STRICT -} - -// $hide_from_docs -// Deprecated. Please use security/v1beta1/RequestAuthentication instead. -// JSON Web Token (JWT) token format for authentication as defined by -// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and -// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole -// authentication flow. -// -// For example: -// -// A JWT for any requests: -// -// ```yaml -// issuer: https://example.com -// audiences: -// - bookstore_android.apps.googleusercontent.com -// bookstore_web.apps.googleusercontent.com -// -// jwksUri: https://example.com/.well-known/jwks.json -// ``` -// -// A JWT for all requests except request at path `/health_check` and path with -// prefix `/status/`. This is useful to expose some paths for public access but -// keep others JWT validated. -// -// ```yaml -// issuer: https://example.com -// jwksUri: https://example.com/.well-known/jwks.json -// triggerRules: -// - excludedPaths: -// - exact: /health_check -// - prefix: /status/ -// -// ``` -// -// A JWT only for requests at path `/admin`. This is useful to only require JWT -// validation on a specific set of paths but keep others public accessible. -// -// ```yaml -// issuer: https://example.com -// jwksUri: https://example.com/.well-known/jwks.json -// triggerRules: -// - includedPaths: -// - prefix: /admin -// -// ``` -// -// A JWT only for requests at path of prefix `/status/` but except the path of -// `/status/version`. This means for any request path with prefix `/status/` except -// `/status/version` will require a valid JWT to proceed. -// -// ```yaml -// issuer: https://example.com -// jwksUri: https://example.com/.well-known/jwks.json -// triggerRules: -// - excludedPaths: -// - exact: /status/version -// includedPaths: -// - prefix: /status/ -// -// ``` -type Jwt struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Identifies the issuer that issued the JWT. See - // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) - // Usually a URL or an email address. - // - // Example: https://securetoken.google.com - // Example: 1234567-compute@developer.gserviceaccount.com - Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"` - // The list of JWT - // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). - // that are allowed to access. A JWT containing any of these - // audiences will be accepted. - // - // The service name will be accepted if audiences is empty. - // - // Example: - // - // ```yaml - // audiences: - // - bookstore_android.apps.googleusercontent.com - // bookstore_web.apps.googleusercontent.com - // - // ``` - Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"` - // URL of the provider's public key set to validate signature of the - // JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). - // - // Optional if the key set document can either (a) be retrieved from - // [OpenID - // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of - // the issuer or (b) inferred from the email domain of the issuer (e.g. a - // Google service account). - // - // Example: `https://www.googleapis.com/oauth2/v1/certs` - // - // Note: Only one of jwks_uri and jwks should be used. - JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri,proto3" json:"jwks_uri,omitempty"` - // JSON Web Key Set of public keys to validate signature of the JWT. - // See https://auth0.com/docs/jwks. - // - // Note: Only one of jwks_uri and jwks should be used. - Jwks string `protobuf:"bytes,10,opt,name=jwks,proto3" json:"jwks,omitempty"` - // JWT is sent in a request header. `header` represents the - // header name. - // - // For example, if `header=x-goog-iap-jwt-assertion`, the header - // format will be `x-goog-iap-jwt-assertion: `. - JwtHeaders []string `protobuf:"bytes,6,rep,name=jwt_headers,json=jwtHeaders,proto3" json:"jwt_headers,omitempty"` - // JWT is sent in a query parameter. `query` represents the - // query parameter name. - // - // For example, `query=jwt_token`. - JwtParams []string `protobuf:"bytes,7,rep,name=jwt_params,json=jwtParams,proto3" json:"jwt_params,omitempty"` - // List of trigger rules to decide if this JWT should be used to validate the - // request. The JWT validation happens if any one of the rules matched. - // If the list is not empty and none of the rules matched, authentication will - // skip the JWT validation. - // Leave this empty to always trigger the JWT validation. - TriggerRules []*Jwt_TriggerRule `protobuf:"bytes,9,rep,name=trigger_rules,json=triggerRules,proto3" json:"trigger_rules,omitempty"` -} - -func (x *Jwt) Reset() { - *x = Jwt{} - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *Jwt) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Jwt) ProtoMessage() {} - -func (x *Jwt) ProtoReflect() protoreflect.Message { - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[2] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Jwt.ProtoReflect.Descriptor instead. -func (*Jwt) Descriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{2} -} - -func (x *Jwt) GetIssuer() string { - if x != nil { - return x.Issuer - } - return "" -} - -func (x *Jwt) GetAudiences() []string { - if x != nil { - return x.Audiences - } - return nil -} - -func (x *Jwt) GetJwksUri() string { - if x != nil { - return x.JwksUri - } - return "" -} - -func (x *Jwt) GetJwks() string { - if x != nil { - return x.Jwks - } - return "" -} - -func (x *Jwt) GetJwtHeaders() []string { - if x != nil { - return x.JwtHeaders - } - return nil -} - -func (x *Jwt) GetJwtParams() []string { - if x != nil { - return x.JwtParams - } - return nil -} - -func (x *Jwt) GetTriggerRules() []*Jwt_TriggerRule { - if x != nil { - return x.TriggerRules - } - return nil -} - -// $hide_from_docs -// Deprecated. Please use security/v1beta1/PeerAuthentication instead. -// PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported -// at the moment. -// The type can be progammatically determine by checking the type of the -// "params" field. -type PeerAuthenticationMethod struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // $hide_from_docs - // - // Types that are assignable to Params: - // - // *PeerAuthenticationMethod_Mtls - // *PeerAuthenticationMethod_Jwt - Params isPeerAuthenticationMethod_Params `protobuf_oneof:"params"` -} - -func (x *PeerAuthenticationMethod) Reset() { - *x = PeerAuthenticationMethod{} - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *PeerAuthenticationMethod) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*PeerAuthenticationMethod) ProtoMessage() {} - -func (x *PeerAuthenticationMethod) ProtoReflect() protoreflect.Message { - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[3] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use PeerAuthenticationMethod.ProtoReflect.Descriptor instead. -func (*PeerAuthenticationMethod) Descriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{3} -} - -func (m *PeerAuthenticationMethod) GetParams() isPeerAuthenticationMethod_Params { - if m != nil { - return m.Params - } - return nil -} - -func (x *PeerAuthenticationMethod) GetMtls() *MutualTls { - if x, ok := x.GetParams().(*PeerAuthenticationMethod_Mtls); ok { - return x.Mtls - } - return nil -} - -// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. -func (x *PeerAuthenticationMethod) GetJwt() *Jwt { - if x, ok := x.GetParams().(*PeerAuthenticationMethod_Jwt); ok { - return x.Jwt - } - return nil -} - -type isPeerAuthenticationMethod_Params interface { - isPeerAuthenticationMethod_Params() -} - -type PeerAuthenticationMethod_Mtls struct { - // Set if mTLS is used. - Mtls *MutualTls `protobuf:"bytes,1,opt,name=mtls,proto3,oneof"` -} - -type PeerAuthenticationMethod_Jwt struct { - // $hide_from_docs - // Deprecated. - // Set if JWT is used. This option was never available. - // - // Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. - Jwt *Jwt `protobuf:"bytes,2,opt,name=jwt,proto3,oneof"` -} - -func (*PeerAuthenticationMethod_Mtls) isPeerAuthenticationMethod_Params() {} - -func (*PeerAuthenticationMethod_Jwt) isPeerAuthenticationMethod_Params() {} - -// $hide_from_docs -// Deprecated. Please use security/v1beta1/RequestAuthentication instead. -// OriginAuthenticationMethod defines authentication method/params for origin -// authentication. Origin could be end-user, device, delegate service etc. -// Currently, only JWT is supported for origin authentication. -type OriginAuthenticationMethod struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Jwt params for the method. - Jwt *Jwt `protobuf:"bytes,1,opt,name=jwt,proto3" json:"jwt,omitempty"` -} - -func (x *OriginAuthenticationMethod) Reset() { - *x = OriginAuthenticationMethod{} - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *OriginAuthenticationMethod) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*OriginAuthenticationMethod) ProtoMessage() {} - -func (x *OriginAuthenticationMethod) ProtoReflect() protoreflect.Message { - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[4] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use OriginAuthenticationMethod.ProtoReflect.Descriptor instead. -func (*OriginAuthenticationMethod) Descriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{4} -} - -func (x *OriginAuthenticationMethod) GetJwt() *Jwt { - if x != nil { - return x.Jwt - } - return nil -} - -// $hide_from_docs -// Policy defines what authentication methods can be accepted on workload(s), -// and if authenticated, which method/certificate will set the request principal -// (i.e request.auth.principal attribute). -// -// Authentication policy is composed of 2-part authentication: -// - peer: verify caller service credentials. This part will set source.user -// (peer identity). -// - origin: verify the origin credentials. This part will set request.auth.user -// (origin identity), as well as other attributes like request.auth.presenter, -// request.auth.audiences and raw claims. Note that the identity could be -// end-user, service account, device etc. -// -// Last but not least, the principal binding rule defines which identity (peer -// or origin) should be used as principal. By default, it uses peer. -// -// Examples: -// -// Policy to enable mTLS for all services in namespace frod. The policy name must be -// `default`, and it contains no rule for `targets`. -// -// ```yaml -// apiVersion: authentication.istio.io/v1alpha1 -// kind: Policy -// metadata: -// -// name: default -// namespace: frod -// -// spec: -// -// peers: -// - mtls: -// -// ``` -// Policy to disable mTLS for "productpage" service -// -// ```yaml -// apiVersion: authentication.istio.io/v1alpha1 -// kind: Policy -// metadata: -// -// name: productpage-mTLS-disable -// namespace: frod -// -// spec: -// -// targets: -// - name: productpage -// -// ``` -// Policy to require mTLS for peer authentication, and JWT for origin authentication -// for productpage:9000 except the path '/health_check' . Principal is set from origin identity. -// -// ```yaml -// apiVersion: authentication.istio.io/v1alpha1 -// kind: Policy -// metadata: -// -// name: productpage-mTLS-with-JWT -// namespace: frod -// -// spec: -// -// targets: -// - name: productpage -// ports: -// - number: 9000 -// peers: -// - mtls: -// origins: -// - jwt: -// issuer: "https://securetoken.google.com" -// audiences: -// - "productpage" -// jwksUri: "https://www.googleapis.com/oauth2/v1/certs" -// jwtHeaders: -// - "x-goog-iap-jwt-assertion" -// triggerRules: -// - excludedPaths: -// - exact: /health_check -// principalBinding: USE_ORIGIN -// -// ``` -type Policy struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Deprecated. Only mesh-level and namespace-level policies are supported. - // List rules to select workloads that the policy should be applied on. - // If empty, policy will be used on all workloads in the same namespace. - // - // Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. - Targets []*TargetSelector `protobuf:"bytes,1,rep,name=targets,proto3" json:"targets,omitempty"` - // $hide_from_docs - // Deprecated. Please use security/v1beta1/PeerAuthentication instead. - // List of authentication methods that can be used for peer authentication. - // They will be evaluated in order; the first validate one will be used to - // set peer identity (source.user) and other peer attributes. If none of - // these methods pass, request will be rejected with authentication failed error (401). - // Leave the list empty if peer authentication is not required - Peers []*PeerAuthenticationMethod `protobuf:"bytes,2,rep,name=peers,proto3" json:"peers,omitempty"` - // Deprecated. Should set mTLS to PERMISSIVE instead. - // Set this flag to true to accept request (for peer authentication perspective), - // even when none of the peer authentication methods defined above satisfied. - // Typically, this is used to delay the rejection decision to next layer (e.g - // authorization). - // This flag is ignored if no authentication defined for peer (peers field is empty). - // - // Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. - PeerIsOptional bool `protobuf:"varint,3,opt,name=peer_is_optional,json=peerIsOptional,proto3" json:"peer_is_optional,omitempty"` - // Deprecated. Please use security/v1beta1/RequestAuthentication instead. - // List of authentication methods that can be used for origin authentication. - // Similar to peers, these will be evaluated in order; the first validate one - // will be used to set origin identity and attributes (i.e request.auth.user, - // request.auth.issuer etc). If none of these methods pass, request will be - // rejected with authentication failed error (401). - // A method may be skipped, depends on its trigger rule. If all of these methods - // are skipped, origin authentication will be ignored, as if it is not defined. - // Leave the list empty if origin authentication is not required. - // - // Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. - Origins []*OriginAuthenticationMethod `protobuf:"bytes,4,rep,name=origins,proto3" json:"origins,omitempty"` - // Deprecated. Please use security/v1beta1/RequestAuthentication instead. - // Set this flag to true to accept request (for origin authentication perspective), - // even when none of the origin authentication methods defined above satisfied. - // Typically, this is used to delay the rejection decision to next layer (e.g - // authorization). - // This flag is ignored if no authentication defined for origin (origins field is empty). - // - // Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. - OriginIsOptional bool `protobuf:"varint,5,opt,name=origin_is_optional,json=originIsOptional,proto3" json:"origin_is_optional,omitempty"` - // Deprecated. Source principal is always from peer, and request principal is always from - // RequestAuthentication. - // Define whether peer or origin identity should be use for principal. Default - // value is USE_PEER. - // If peer (or origin) identity is not available, either because of peer/origin - // authentication is not defined, or failed, principal will be left unset. - // In other words, binding rule does not affect the decision to accept or - // reject request. - // - // Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. - PrincipalBinding PrincipalBinding `protobuf:"varint,6,opt,name=principal_binding,json=principalBinding,proto3,enum=istio.authentication.v1alpha1.PrincipalBinding" json:"principal_binding,omitempty"` -} - -func (x *Policy) Reset() { - *x = Policy{} - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *Policy) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Policy) ProtoMessage() {} - -func (x *Policy) ProtoReflect() protoreflect.Message { - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[5] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Policy.ProtoReflect.Descriptor instead. -func (*Policy) Descriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{5} -} - -// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. -func (x *Policy) GetTargets() []*TargetSelector { - if x != nil { - return x.Targets - } - return nil -} - -func (x *Policy) GetPeers() []*PeerAuthenticationMethod { - if x != nil { - return x.Peers - } - return nil -} - -// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. -func (x *Policy) GetPeerIsOptional() bool { - if x != nil { - return x.PeerIsOptional - } - return false -} - -// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. -func (x *Policy) GetOrigins() []*OriginAuthenticationMethod { - if x != nil { - return x.Origins - } - return nil -} - -// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. -func (x *Policy) GetOriginIsOptional() bool { - if x != nil { - return x.OriginIsOptional - } - return false -} - -// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto. -func (x *Policy) GetPrincipalBinding() PrincipalBinding { - if x != nil { - return x.PrincipalBinding - } - return PrincipalBinding_USE_PEER -} - -// $hide_from_docs -// Deprecated. Only support mesh and namespace level policy in the future. -// TargetSelector defines a matching rule to a workload. A workload is selected -// if it is associated with the service name and service port(s) specified in the selector rule. -type TargetSelector struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The name must be a short name from the service registry. The - // fully qualified domain name will be resolved in a platform specific manner. - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - // Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports. - // For example, if a service is defined as below, then `8000` should be used, not `9000`. - // ```yaml - // kind: Service - // metadata: - // - // ... - // - // spec: - // - // ports: - // - name: http - // port: 8000 - // targetPort: 9000 - // selector: - // app: backend - // - // ``` - // Leave empty to match all ports that are exposed. - Ports []*PortSelector `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"` -} - -func (x *TargetSelector) Reset() { - *x = TargetSelector{} - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[6] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *TargetSelector) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*TargetSelector) ProtoMessage() {} - -func (x *TargetSelector) ProtoReflect() protoreflect.Message { - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[6] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use TargetSelector.ProtoReflect.Descriptor instead. -func (*TargetSelector) Descriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{6} -} - -func (x *TargetSelector) GetName() string { - if x != nil { - return x.Name - } - return "" -} - -func (x *TargetSelector) GetPorts() []*PortSelector { - if x != nil { - return x.Ports - } - return nil -} - -// $hide_from_docs -// Deprecated. Only support mesh and namespace level policy in the future. -// PortSelector specifies the name or number of a port to be used for -// matching targets for authentication policy. This is copied from -// networking API to avoid dependency. -type PortSelector struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Types that are assignable to Port: - // - // *PortSelector_Number - // *PortSelector_Name - Port isPortSelector_Port `protobuf_oneof:"port"` -} - -func (x *PortSelector) Reset() { - *x = PortSelector{} - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[7] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *PortSelector) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*PortSelector) ProtoMessage() {} - -func (x *PortSelector) ProtoReflect() protoreflect.Message { - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[7] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use PortSelector.ProtoReflect.Descriptor instead. -func (*PortSelector) Descriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{7} -} - -func (m *PortSelector) GetPort() isPortSelector_Port { - if m != nil { - return m.Port - } - return nil -} - -func (x *PortSelector) GetNumber() uint32 { - if x, ok := x.GetPort().(*PortSelector_Number); ok { - return x.Number - } - return 0 -} - -func (x *PortSelector) GetName() string { - if x, ok := x.GetPort().(*PortSelector_Name); ok { - return x.Name - } - return "" -} - -type isPortSelector_Port interface { - isPortSelector_Port() -} - -type PortSelector_Number struct { - // Valid port number - Number uint32 `protobuf:"varint,1,opt,name=number,proto3,oneof"` -} - -type PortSelector_Name struct { - // Port name - Name string `protobuf:"bytes,2,opt,name=name,proto3,oneof"` -} - -func (*PortSelector_Number) isPortSelector_Port() {} - -func (*PortSelector_Name) isPortSelector_Port() {} - -// $hide_from_docs -// Trigger rule to match against a request. The trigger rule is satisfied if -// and only if both rules, excluded_paths and include_paths are satisfied. -type Jwt_TriggerRule struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // List of paths to be excluded from the request. The rule is satisfied if - // request path does not match to any of the path in this list. - ExcludedPaths []*StringMatch `protobuf:"bytes,1,rep,name=excluded_paths,json=excludedPaths,proto3" json:"excluded_paths,omitempty"` - // List of paths that the request must include. If the list is not empty, the - // rule is satisfied if request path matches at least one of the path in the list. - // If the list is empty, the rule is ignored, in other words the rule is always satisfied. - IncludedPaths []*StringMatch `protobuf:"bytes,2,rep,name=included_paths,json=includedPaths,proto3" json:"included_paths,omitempty"` -} - -func (x *Jwt_TriggerRule) Reset() { - *x = Jwt_TriggerRule{} - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[8] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *Jwt_TriggerRule) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Jwt_TriggerRule) ProtoMessage() {} - -func (x *Jwt_TriggerRule) ProtoReflect() protoreflect.Message { - mi := &file_authentication_v1alpha1_policy_proto_msgTypes[8] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Jwt_TriggerRule.ProtoReflect.Descriptor instead. -func (*Jwt_TriggerRule) Descriptor() ([]byte, []int) { - return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{2, 0} -} - -func (x *Jwt_TriggerRule) GetExcludedPaths() []*StringMatch { - if x != nil { - return x.ExcludedPaths - } - return nil -} - -func (x *Jwt_TriggerRule) GetIncludedPaths() []*StringMatch { - if x != nil { - return x.IncludedPaths - } - return nil -} - -var File_authentication_v1alpha1_policy_proto protoreflect.FileDescriptor - -var file_authentication_v1alpha1_policy_proto_rawDesc = []byte{ - 0x0a, 0x24, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, - 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, - 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x7f, 0x0a, 0x0b, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, - 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x16, 0x0a, 0x05, 0x65, 0x78, 0x61, 0x63, 0x74, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x65, 0x78, 0x61, 0x63, 0x74, 0x12, 0x18, 0x0a, - 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, - 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x18, 0x0a, 0x06, 0x73, 0x75, 0x66, 0x66, 0x69, - 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x06, 0x73, 0x75, 0x66, 0x66, 0x69, - 0x78, 0x12, 0x16, 0x0a, 0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, - 0x48, 0x00, 0x52, 0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x42, 0x0c, 0x0a, 0x0a, 0x6d, 0x61, 0x74, - 0x63, 0x68, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x22, 0x93, 0x01, 0x0a, 0x09, 0x4d, 0x75, 0x74, 0x75, - 0x61, 0x6c, 0x54, 0x6c, 0x73, 0x12, 0x1f, 0x0a, 0x09, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x74, - 0x6c, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x08, 0x61, 0x6c, - 0x6c, 0x6f, 0x77, 0x54, 0x6c, 0x73, 0x12, 0x41, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, - 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, - 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x54, 0x6c, 0x73, 0x2e, 0x4d, - 0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x22, 0x22, 0x0a, 0x04, 0x4d, 0x6f, 0x64, - 0x65, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x54, 0x52, 0x49, 0x43, 0x54, 0x10, 0x00, 0x12, 0x0e, 0x0a, - 0x0a, 0x50, 0x45, 0x52, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x01, 0x22, 0xb5, 0x03, - 0x0a, 0x03, 0x4a, 0x77, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, - 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, - 0x52, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08, 0x6a, - 0x77, 0x6b, 0x73, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6a, - 0x77, 0x6b, 0x73, 0x55, 0x72, 0x69, 0x12, 0x12, 0x0a, 0x04, 0x6a, 0x77, 0x6b, 0x73, 0x18, 0x0a, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6a, 0x77, 0x6b, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x6a, 0x77, - 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, - 0x0a, 0x6a, 0x77, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x6a, - 0x77, 0x74, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, - 0x09, 0x6a, 0x77, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x12, 0x53, 0x0a, 0x0d, 0x74, 0x72, - 0x69, 0x67, 0x67, 0x65, 0x72, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, - 0x0b, 0x32, 0x2e, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, - 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x4a, 0x77, 0x74, 0x2e, 0x54, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x75, 0x6c, - 0x65, 0x52, 0x0c, 0x74, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x1a, - 0xb3, 0x01, 0x0a, 0x0b, 0x54, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x75, 0x6c, 0x65, 0x12, - 0x51, 0x0a, 0x0e, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x64, 0x5f, 0x70, 0x61, 0x74, 0x68, - 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, - 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x4d, 0x61, - 0x74, 0x63, 0x68, 0x52, 0x0d, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x64, 0x50, 0x61, 0x74, - 0x68, 0x73, 0x12, 0x51, 0x0a, 0x0e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x64, 0x5f, 0x70, - 0x61, 0x74, 0x68, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, - 0x67, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x0d, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x64, - 0x50, 0x61, 0x74, 0x68, 0x73, 0x22, 0xa0, 0x01, 0x0a, 0x18, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, - 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x65, 0x74, 0x68, - 0x6f, 0x64, 0x12, 0x3e, 0x0a, 0x04, 0x6d, 0x74, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x28, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, - 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x54, 0x6c, 0x73, 0x48, 0x00, 0x52, 0x04, 0x6d, 0x74, - 0x6c, 0x73, 0x12, 0x3a, 0x0a, 0x03, 0x6a, 0x77, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x22, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, - 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, - 0x4a, 0x77, 0x74, 0x42, 0x02, 0x18, 0x01, 0x48, 0x00, 0x52, 0x03, 0x6a, 0x77, 0x74, 0x42, 0x08, - 0x0a, 0x06, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x22, 0x52, 0x0a, 0x1a, 0x4f, 0x72, 0x69, 0x67, - 0x69, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x34, 0x0a, 0x03, 0x6a, 0x77, 0x74, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, - 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x2e, 0x4a, 0x77, 0x74, 0x52, 0x03, 0x6a, 0x77, 0x74, 0x22, 0xbf, 0x03, 0x0a, - 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x4b, 0x0a, 0x07, 0x74, 0x61, 0x72, 0x67, 0x65, - 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, - 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x53, - 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x42, 0x02, 0x18, 0x01, 0x52, 0x07, 0x74, 0x61, 0x72, - 0x67, 0x65, 0x74, 0x73, 0x12, 0x4d, 0x0a, 0x05, 0x70, 0x65, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, - 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, - 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x52, 0x05, 0x70, 0x65, - 0x65, 0x72, 0x73, 0x12, 0x2c, 0x0a, 0x10, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x69, 0x73, 0x5f, 0x6f, - 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18, - 0x01, 0x52, 0x0e, 0x70, 0x65, 0x65, 0x72, 0x49, 0x73, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, - 0x6c, 0x12, 0x57, 0x0a, 0x07, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, - 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x31, 0x2e, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, - 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x42, 0x02, 0x18, - 0x01, 0x52, 0x07, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x73, 0x12, 0x30, 0x0a, 0x12, 0x6f, 0x72, - 0x69, 0x67, 0x69, 0x6e, 0x5f, 0x69, 0x73, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, - 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10, 0x6f, 0x72, 0x69, 0x67, - 0x69, 0x6e, 0x49, 0x73, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x12, 0x60, 0x0a, 0x11, - 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x5f, 0x62, 0x69, 0x6e, 0x64, 0x69, 0x6e, - 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, - 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, - 0x6c, 0x42, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10, 0x70, 0x72, - 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x42, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x22, 0x7b, - 0x0a, 0x0e, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, - 0x12, 0x18, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, - 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x41, 0x0a, 0x05, 0x70, 0x6f, - 0x72, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, - 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x53, 0x65, - 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x4a, 0x04, 0x08, - 0x03, 0x10, 0x04, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x22, 0x46, 0x0a, 0x0c, 0x50, - 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x18, 0x0a, 0x06, 0x6e, - 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x06, 0x6e, - 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x42, 0x06, 0x0a, 0x04, 0x70, - 0x6f, 0x72, 0x74, 0x2a, 0x30, 0x0a, 0x10, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, - 0x42, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x0c, 0x0a, 0x08, 0x55, 0x53, 0x45, 0x5f, 0x50, - 0x45, 0x45, 0x52, 0x10, 0x00, 0x12, 0x0e, 0x0a, 0x0a, 0x55, 0x53, 0x45, 0x5f, 0x4f, 0x52, 0x49, - 0x47, 0x49, 0x4e, 0x10, 0x01, 0x42, 0x26, 0x5a, 0x24, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, - 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_authentication_v1alpha1_policy_proto_rawDescOnce sync.Once - file_authentication_v1alpha1_policy_proto_rawDescData = file_authentication_v1alpha1_policy_proto_rawDesc -) - -func file_authentication_v1alpha1_policy_proto_rawDescGZIP() []byte { - file_authentication_v1alpha1_policy_proto_rawDescOnce.Do(func() { - file_authentication_v1alpha1_policy_proto_rawDescData = protoimpl.X.CompressGZIP(file_authentication_v1alpha1_policy_proto_rawDescData) - }) - return file_authentication_v1alpha1_policy_proto_rawDescData -} - -var file_authentication_v1alpha1_policy_proto_enumTypes = make([]protoimpl.EnumInfo, 2) -var file_authentication_v1alpha1_policy_proto_msgTypes = make([]protoimpl.MessageInfo, 9) -var file_authentication_v1alpha1_policy_proto_goTypes = []any{ - (PrincipalBinding)(0), // 0: istio.authentication.v1alpha1.PrincipalBinding - (MutualTls_Mode)(0), // 1: istio.authentication.v1alpha1.MutualTls.Mode - (*StringMatch)(nil), // 2: istio.authentication.v1alpha1.StringMatch - (*MutualTls)(nil), // 3: istio.authentication.v1alpha1.MutualTls - (*Jwt)(nil), // 4: istio.authentication.v1alpha1.Jwt - (*PeerAuthenticationMethod)(nil), // 5: istio.authentication.v1alpha1.PeerAuthenticationMethod - (*OriginAuthenticationMethod)(nil), // 6: istio.authentication.v1alpha1.OriginAuthenticationMethod - (*Policy)(nil), // 7: istio.authentication.v1alpha1.Policy - (*TargetSelector)(nil), // 8: istio.authentication.v1alpha1.TargetSelector - (*PortSelector)(nil), // 9: istio.authentication.v1alpha1.PortSelector - (*Jwt_TriggerRule)(nil), // 10: istio.authentication.v1alpha1.Jwt.TriggerRule -} -var file_authentication_v1alpha1_policy_proto_depIdxs = []int32{ - 1, // 0: istio.authentication.v1alpha1.MutualTls.mode:type_name -> istio.authentication.v1alpha1.MutualTls.Mode - 10, // 1: istio.authentication.v1alpha1.Jwt.trigger_rules:type_name -> istio.authentication.v1alpha1.Jwt.TriggerRule - 3, // 2: istio.authentication.v1alpha1.PeerAuthenticationMethod.mtls:type_name -> istio.authentication.v1alpha1.MutualTls - 4, // 3: istio.authentication.v1alpha1.PeerAuthenticationMethod.jwt:type_name -> istio.authentication.v1alpha1.Jwt - 4, // 4: istio.authentication.v1alpha1.OriginAuthenticationMethod.jwt:type_name -> istio.authentication.v1alpha1.Jwt - 8, // 5: istio.authentication.v1alpha1.Policy.targets:type_name -> istio.authentication.v1alpha1.TargetSelector - 5, // 6: istio.authentication.v1alpha1.Policy.peers:type_name -> istio.authentication.v1alpha1.PeerAuthenticationMethod - 6, // 7: istio.authentication.v1alpha1.Policy.origins:type_name -> istio.authentication.v1alpha1.OriginAuthenticationMethod - 0, // 8: istio.authentication.v1alpha1.Policy.principal_binding:type_name -> istio.authentication.v1alpha1.PrincipalBinding - 9, // 9: istio.authentication.v1alpha1.TargetSelector.ports:type_name -> istio.authentication.v1alpha1.PortSelector - 2, // 10: istio.authentication.v1alpha1.Jwt.TriggerRule.excluded_paths:type_name -> istio.authentication.v1alpha1.StringMatch - 2, // 11: istio.authentication.v1alpha1.Jwt.TriggerRule.included_paths:type_name -> istio.authentication.v1alpha1.StringMatch - 12, // [12:12] is the sub-list for method output_type - 12, // [12:12] is the sub-list for method input_type - 12, // [12:12] is the sub-list for extension type_name - 12, // [12:12] is the sub-list for extension extendee - 0, // [0:12] is the sub-list for field type_name -} - -func init() { file_authentication_v1alpha1_policy_proto_init() } -func file_authentication_v1alpha1_policy_proto_init() { - if File_authentication_v1alpha1_policy_proto != nil { - return - } - file_authentication_v1alpha1_policy_proto_msgTypes[0].OneofWrappers = []any{ - (*StringMatch_Exact)(nil), - (*StringMatch_Prefix)(nil), - (*StringMatch_Suffix)(nil), - (*StringMatch_Regex)(nil), - } - file_authentication_v1alpha1_policy_proto_msgTypes[3].OneofWrappers = []any{ - (*PeerAuthenticationMethod_Mtls)(nil), - (*PeerAuthenticationMethod_Jwt)(nil), - } - file_authentication_v1alpha1_policy_proto_msgTypes[7].OneofWrappers = []any{ - (*PortSelector_Number)(nil), - (*PortSelector_Name)(nil), - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_authentication_v1alpha1_policy_proto_rawDesc, - NumEnums: 2, - NumMessages: 9, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_authentication_v1alpha1_policy_proto_goTypes, - DependencyIndexes: file_authentication_v1alpha1_policy_proto_depIdxs, - EnumInfos: file_authentication_v1alpha1_policy_proto_enumTypes, - MessageInfos: file_authentication_v1alpha1_policy_proto_msgTypes, - }.Build() - File_authentication_v1alpha1_policy_proto = out.File - file_authentication_v1alpha1_policy_proto_rawDesc = nil - file_authentication_v1alpha1_policy_proto_goTypes = nil - file_authentication_v1alpha1_policy_proto_depIdxs = nil -} diff --git a/authentication/v1alpha1/policy.proto b/authentication/v1alpha1/policy.proto deleted file mode 100644 index d49148250ef..00000000000 --- a/authentication/v1alpha1/policy.proto +++ /dev/null @@ -1,432 +0,0 @@ -// Copyright 2018 Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -// $schema: istio.authentication.v1alpha1.Policy -// $mode: package - -// This package defines user-facing authentication policy. -package istio.authentication.v1alpha1; - -import "google/api/field_behavior.proto"; - -option go_package = "istio.io/api/authentication/v1alpha1"; - -// $hide_from_docs -// Describes how to match a given string. Match is case-sensitive. -message StringMatch { - oneof match_type { - // exact string match. - string exact = 1; - - // prefix-based match. - string prefix = 2; - - // suffix-based match. - string suffix = 3; - - // RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - string regex = 4; - } -} - -// $hide_from_docs -// Deprecated. Please use security/v1beta1/PeerAuthentication instead. -// TLS authentication params. -message MutualTls { - // $hide_from_docs - // Defines the acceptable connection TLS mode. - enum Mode { - // Client cert must be presented, connection is in TLS. - STRICT = 0; - - // Connection can be either plaintext or TLS with Client cert. - PERMISSIVE = 1; - }; - - // Deprecated. Please use mode = PERMISSIVE instead. - // If set, will translate to `TLS_PERMISSIVE` mode. - // Set this flag to true to allow regular TLS (i.e without client x509 - // certificate). If request carries client certificate, identity will be - // extracted and used (set to peer identity). Otherwise, peer identity will - // be left unset. - // When the flag is false (default), request must have client certificate. - bool allow_tls = 1 [deprecated=true]; - - // Defines the mode of mTLS authentication. - Mode mode = 2; -} - -// $hide_from_docs -// Deprecated. Please use security/v1beta1/RequestAuthentication instead. -// JSON Web Token (JWT) token format for authentication as defined by -// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and -// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole -// authentication flow. -// -// For example: -// -// A JWT for any requests: -// -// ```yaml -// issuer: https://example.com -// audiences: -// - bookstore_android.apps.googleusercontent.com -// bookstore_web.apps.googleusercontent.com -// jwksUri: https://example.com/.well-known/jwks.json -// ``` -// -// A JWT for all requests except request at path `/health_check` and path with -// prefix `/status/`. This is useful to expose some paths for public access but -// keep others JWT validated. -// -// ```yaml -// issuer: https://example.com -// jwksUri: https://example.com/.well-known/jwks.json -// triggerRules: -// - excludedPaths: -// - exact: /health_check -// - prefix: /status/ -// ``` -// -// A JWT only for requests at path `/admin`. This is useful to only require JWT -// validation on a specific set of paths but keep others public accessible. -// -// ```yaml -// issuer: https://example.com -// jwksUri: https://example.com/.well-known/jwks.json -// triggerRules: -// - includedPaths: -// - prefix: /admin -// ``` -// -// A JWT only for requests at path of prefix `/status/` but except the path of -// `/status/version`. This means for any request path with prefix `/status/` except -// `/status/version` will require a valid JWT to proceed. -// -// ```yaml -// issuer: https://example.com -// jwksUri: https://example.com/.well-known/jwks.json -// triggerRules: -// - excludedPaths: -// - exact: /status/version -// includedPaths: -// - prefix: /status/ -// ``` -message Jwt { - // Identifies the issuer that issued the JWT. See - // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) - // Usually a URL or an email address. - // - // Example: https://securetoken.google.com - // Example: 1234567-compute@developer.gserviceaccount.com - string issuer = 1; - - // The list of JWT - // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). - // that are allowed to access. A JWT containing any of these - // audiences will be accepted. - // - // The service name will be accepted if audiences is empty. - // - // Example: - // - // ```yaml - // audiences: - // - bookstore_android.apps.googleusercontent.com - // bookstore_web.apps.googleusercontent.com - // ``` - repeated string audiences = 2; - - // URL of the provider's public key set to validate signature of the - // JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). - // - // Optional if the key set document can either (a) be retrieved from - // [OpenID - // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of - // the issuer or (b) inferred from the email domain of the issuer (e.g. a - // Google service account). - // - // Example: `https://www.googleapis.com/oauth2/v1/certs` - // - // Note: Only one of jwks_uri and jwks should be used. - string jwks_uri = 3; - - // JSON Web Key Set of public keys to validate signature of the JWT. - // See https://auth0.com/docs/jwks. - // - // Note: Only one of jwks_uri and jwks should be used. - string jwks = 10; - - // Two fields below define where to extract the JWT from an HTTP request. - // - // If no explicit location is specified the following default - // locations are tried in order: - // - // 1) The Authorization header using the Bearer schema, - // e.g. Authorization: Bearer . (see - // [Authorization Request Header - // Field](https://tools.ietf.org/html/rfc6750#section-2.1)) - // - // 2) `access_token` query parameter (see - // [URI Query Parameter](https://tools.ietf.org/html/rfc6750#section-2.3)) - - // JWT is sent in a request header. `header` represents the - // header name. - // - // For example, if `header=x-goog-iap-jwt-assertion`, the header - // format will be `x-goog-iap-jwt-assertion: `. - repeated string jwt_headers = 6; - - // JWT is sent in a query parameter. `query` represents the - // query parameter name. - // - // For example, `query=jwt_token`. - repeated string jwt_params = 7; - - // $hide_from_docs - // Trigger rule to match against a request. The trigger rule is satisfied if - // and only if both rules, excluded_paths and include_paths are satisfied. - message TriggerRule { - // List of paths to be excluded from the request. The rule is satisfied if - // request path does not match to any of the path in this list. - repeated StringMatch excluded_paths = 1; - - // List of paths that the request must include. If the list is not empty, the - // rule is satisfied if request path matches at least one of the path in the list. - // If the list is empty, the rule is ignored, in other words the rule is always satisfied. - repeated StringMatch included_paths = 2; - } - - // List of trigger rules to decide if this JWT should be used to validate the - // request. The JWT validation happens if any one of the rules matched. - // If the list is not empty and none of the rules matched, authentication will - // skip the JWT validation. - // Leave this empty to always trigger the JWT validation. - repeated TriggerRule trigger_rules = 9; - - // $hide_from_docs - // Next available field number: 11 -} - -// $hide_from_docs -// Deprecated. Please use security/v1beta1/PeerAuthentication instead. -// PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported -// at the moment. -// The type can be progammatically determine by checking the type of the -// "params" field. -message PeerAuthenticationMethod { - // $hide_from_docs - oneof params { - // Set if mTLS is used. - MutualTls mtls = 1; - - // $hide_from_docs - // Deprecated. - // Set if JWT is used. This option was never available. - Jwt jwt = 2 [deprecated=true]; - } -} - -// $hide_from_docs -// Deprecated. Please use security/v1beta1/RequestAuthentication instead. -// OriginAuthenticationMethod defines authentication method/params for origin -// authentication. Origin could be end-user, device, delegate service etc. -// Currently, only JWT is supported for origin authentication. -message OriginAuthenticationMethod { - // Jwt params for the method. - Jwt jwt = 1; -} - -// $hide_from_docs -// Deprecated. When using security/v1beta1/RequestAuthentication, the request principal always -// comes from request authentication (i.e JWT). -// Associates authentication with request principal. -enum PrincipalBinding { - // Principal will be set to the identity from peer authentication. - USE_PEER = 0; - - // Principal will be set to the identity from origin authentication. - USE_ORIGIN = 1; -} - -// $hide_from_docs -// Policy defines what authentication methods can be accepted on workload(s), -// and if authenticated, which method/certificate will set the request principal -// (i.e request.auth.principal attribute). -// -// Authentication policy is composed of 2-part authentication: -// - peer: verify caller service credentials. This part will set source.user -// (peer identity). -// - origin: verify the origin credentials. This part will set request.auth.user -// (origin identity), as well as other attributes like request.auth.presenter, -// request.auth.audiences and raw claims. Note that the identity could be -// end-user, service account, device etc. -// -// Last but not least, the principal binding rule defines which identity (peer -// or origin) should be used as principal. By default, it uses peer. -// -// Examples: -// -// Policy to enable mTLS for all services in namespace frod. The policy name must be -// `default`, and it contains no rule for `targets`. -// -// ```yaml -// apiVersion: authentication.istio.io/v1alpha1 -// kind: Policy -// metadata: -// name: default -// namespace: frod -// spec: -// peers: -// - mtls: -// ``` -// Policy to disable mTLS for "productpage" service -// -// ```yaml -// apiVersion: authentication.istio.io/v1alpha1 -// kind: Policy -// metadata: -// name: productpage-mTLS-disable -// namespace: frod -// spec: -// targets: -// - name: productpage -// ``` -// Policy to require mTLS for peer authentication, and JWT for origin authentication -// for productpage:9000 except the path '/health_check' . Principal is set from origin identity. -// -// ```yaml -// apiVersion: authentication.istio.io/v1alpha1 -// kind: Policy -// metadata: -// name: productpage-mTLS-with-JWT -// namespace: frod -// spec: -// targets: -// - name: productpage -// ports: -// - number: 9000 -// peers: -// - mtls: -// origins: -// - jwt: -// issuer: "https://securetoken.google.com" -// audiences: -// - "productpage" -// jwksUri: "https://www.googleapis.com/oauth2/v1/certs" -// jwtHeaders: -// - "x-goog-iap-jwt-assertion" -// triggerRules: -// - excludedPaths: -// - exact: /health_check -// principalBinding: USE_ORIGIN -// ``` -message Policy { - // Deprecated. Only mesh-level and namespace-level policies are supported. - // List rules to select workloads that the policy should be applied on. - // If empty, policy will be used on all workloads in the same namespace. - repeated TargetSelector targets = 1 [deprecated=true]; - - // $hide_from_docs - // Deprecated. Please use security/v1beta1/PeerAuthentication instead. - // List of authentication methods that can be used for peer authentication. - // They will be evaluated in order; the first validate one will be used to - // set peer identity (source.user) and other peer attributes. If none of - // these methods pass, request will be rejected with authentication failed error (401). - // Leave the list empty if peer authentication is not required - repeated PeerAuthenticationMethod peers = 2; - - // Deprecated. Should set mTLS to PERMISSIVE instead. - // Set this flag to true to accept request (for peer authentication perspective), - // even when none of the peer authentication methods defined above satisfied. - // Typically, this is used to delay the rejection decision to next layer (e.g - // authorization). - // This flag is ignored if no authentication defined for peer (peers field is empty). - bool peer_is_optional = 3 [deprecated=true]; - - // Deprecated. Please use security/v1beta1/RequestAuthentication instead. - // List of authentication methods that can be used for origin authentication. - // Similar to peers, these will be evaluated in order; the first validate one - // will be used to set origin identity and attributes (i.e request.auth.user, - // request.auth.issuer etc). If none of these methods pass, request will be - // rejected with authentication failed error (401). - // A method may be skipped, depends on its trigger rule. If all of these methods - // are skipped, origin authentication will be ignored, as if it is not defined. - // Leave the list empty if origin authentication is not required. - repeated OriginAuthenticationMethod origins = 4 [deprecated=true]; - - // Deprecated. Please use security/v1beta1/RequestAuthentication instead. - // Set this flag to true to accept request (for origin authentication perspective), - // even when none of the origin authentication methods defined above satisfied. - // Typically, this is used to delay the rejection decision to next layer (e.g - // authorization). - // This flag is ignored if no authentication defined for origin (origins field is empty). - bool origin_is_optional = 5 [deprecated=true]; - - // Deprecated. Source principal is always from peer, and request principal is always from - // RequestAuthentication. - // Define whether peer or origin identity should be use for principal. Default - // value is USE_PEER. - // If peer (or origin) identity is not available, either because of peer/origin - // authentication is not defined, or failed, principal will be left unset. - // In other words, binding rule does not affect the decision to accept or - // reject request. - PrincipalBinding principal_binding = 6 [deprecated=true]; -} - -// $hide_from_docs -// Deprecated. Only support mesh and namespace level policy in the future. -// TargetSelector defines a matching rule to a workload. A workload is selected -// if it is associated with the service name and service port(s) specified in the selector rule. -message TargetSelector { - // The name must be a short name from the service registry. The - // fully qualified domain name will be resolved in a platform specific manner. - string name = 1 [(google.api.field_behavior) = REQUIRED]; - - reserved 3; - reserved "labels"; - - // Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports. - // For example, if a service is defined as below, then `8000` should be used, not `9000`. - // ```yaml - // kind: Service - // metadata: - // ... - // spec: - // ports: - // - name: http - // port: 8000 - // targetPort: 9000 - // selector: - // app: backend - // ``` - //Leave empty to match all ports that are exposed. - repeated PortSelector ports = 2; -} - -// $hide_from_docs -// Deprecated. Only support mesh and namespace level policy in the future. -// PortSelector specifies the name or number of a port to be used for -// matching targets for authentication policy. This is copied from -// networking API to avoid dependency. -message PortSelector { - oneof port { - // Valid port number - uint32 number = 1; - // Port name - string name = 2; - } -} diff --git a/authentication/v1alpha1/policy_deepcopy.gen.go b/authentication/v1alpha1/policy_deepcopy.gen.go deleted file mode 100644 index c38fae8b778..00000000000 --- a/authentication/v1alpha1/policy_deepcopy.gen.go +++ /dev/null @@ -1,195 +0,0 @@ -// Code generated by protoc-gen-deepcopy. DO NOT EDIT. -package v1alpha1 - -import ( - proto "google.golang.org/protobuf/proto" -) - -// DeepCopyInto supports using StringMatch within kubernetes types, where deepcopy-gen is used. -func (in *StringMatch) DeepCopyInto(out *StringMatch) { - p := proto.Clone(in).(*StringMatch) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch. Required by controller-gen. -func (in *StringMatch) DeepCopy() *StringMatch { - if in == nil { - return nil - } - out := new(StringMatch) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch. Required by controller-gen. -func (in *StringMatch) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using MutualTls within kubernetes types, where deepcopy-gen is used. -func (in *MutualTls) DeepCopyInto(out *MutualTls) { - p := proto.Clone(in).(*MutualTls) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutualTls. Required by controller-gen. -func (in *MutualTls) DeepCopy() *MutualTls { - if in == nil { - return nil - } - out := new(MutualTls) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new MutualTls. Required by controller-gen. -func (in *MutualTls) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using Jwt within kubernetes types, where deepcopy-gen is used. -func (in *Jwt) DeepCopyInto(out *Jwt) { - p := proto.Clone(in).(*Jwt) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt. Required by controller-gen. -func (in *Jwt) DeepCopy() *Jwt { - if in == nil { - return nil - } - out := new(Jwt) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Jwt. Required by controller-gen. -func (in *Jwt) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using Jwt_TriggerRule within kubernetes types, where deepcopy-gen is used. -func (in *Jwt_TriggerRule) DeepCopyInto(out *Jwt_TriggerRule) { - p := proto.Clone(in).(*Jwt_TriggerRule) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt_TriggerRule. Required by controller-gen. -func (in *Jwt_TriggerRule) DeepCopy() *Jwt_TriggerRule { - if in == nil { - return nil - } - out := new(Jwt_TriggerRule) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Jwt_TriggerRule. Required by controller-gen. -func (in *Jwt_TriggerRule) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using PeerAuthenticationMethod within kubernetes types, where deepcopy-gen is used. -func (in *PeerAuthenticationMethod) DeepCopyInto(out *PeerAuthenticationMethod) { - p := proto.Clone(in).(*PeerAuthenticationMethod) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod. Required by controller-gen. -func (in *PeerAuthenticationMethod) DeepCopy() *PeerAuthenticationMethod { - if in == nil { - return nil - } - out := new(PeerAuthenticationMethod) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod. Required by controller-gen. -func (in *PeerAuthenticationMethod) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using OriginAuthenticationMethod within kubernetes types, where deepcopy-gen is used. -func (in *OriginAuthenticationMethod) DeepCopyInto(out *OriginAuthenticationMethod) { - p := proto.Clone(in).(*OriginAuthenticationMethod) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod. Required by controller-gen. -func (in *OriginAuthenticationMethod) DeepCopy() *OriginAuthenticationMethod { - if in == nil { - return nil - } - out := new(OriginAuthenticationMethod) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod. Required by controller-gen. -func (in *OriginAuthenticationMethod) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using Policy within kubernetes types, where deepcopy-gen is used. -func (in *Policy) DeepCopyInto(out *Policy) { - p := proto.Clone(in).(*Policy) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. Required by controller-gen. -func (in *Policy) DeepCopy() *Policy { - if in == nil { - return nil - } - out := new(Policy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Policy. Required by controller-gen. -func (in *Policy) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using TargetSelector within kubernetes types, where deepcopy-gen is used. -func (in *TargetSelector) DeepCopyInto(out *TargetSelector) { - p := proto.Clone(in).(*TargetSelector) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector. Required by controller-gen. -func (in *TargetSelector) DeepCopy() *TargetSelector { - if in == nil { - return nil - } - out := new(TargetSelector) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector. Required by controller-gen. -func (in *TargetSelector) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using PortSelector within kubernetes types, where deepcopy-gen is used. -func (in *PortSelector) DeepCopyInto(out *PortSelector) { - p := proto.Clone(in).(*PortSelector) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen. -func (in *PortSelector) DeepCopy() *PortSelector { - if in == nil { - return nil - } - out := new(PortSelector) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen. -func (in *PortSelector) DeepCopyInterface() interface{} { - return in.DeepCopy() -} diff --git a/authentication/v1alpha1/policy_json.gen.go b/authentication/v1alpha1/policy_json.gen.go deleted file mode 100644 index c2c4f8ce4a4..00000000000 --- a/authentication/v1alpha1/policy_json.gen.go +++ /dev/null @@ -1,111 +0,0 @@ -// Code generated by protoc-gen-jsonshim. DO NOT EDIT. -package v1alpha1 - -import ( - bytes "bytes" - jsonpb "github.com/golang/protobuf/jsonpb" -) - -// MarshalJSON is a custom marshaler for StringMatch -func (this *StringMatch) MarshalJSON() ([]byte, error) { - str, err := PolicyMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for StringMatch -func (this *StringMatch) UnmarshalJSON(b []byte) error { - return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for MutualTls -func (this *MutualTls) MarshalJSON() ([]byte, error) { - str, err := PolicyMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for MutualTls -func (this *MutualTls) UnmarshalJSON(b []byte) error { - return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for Jwt -func (this *Jwt) MarshalJSON() ([]byte, error) { - str, err := PolicyMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for Jwt -func (this *Jwt) UnmarshalJSON(b []byte) error { - return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for Jwt_TriggerRule -func (this *Jwt_TriggerRule) MarshalJSON() ([]byte, error) { - str, err := PolicyMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for Jwt_TriggerRule -func (this *Jwt_TriggerRule) UnmarshalJSON(b []byte) error { - return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for PeerAuthenticationMethod -func (this *PeerAuthenticationMethod) MarshalJSON() ([]byte, error) { - str, err := PolicyMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for PeerAuthenticationMethod -func (this *PeerAuthenticationMethod) UnmarshalJSON(b []byte) error { - return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for OriginAuthenticationMethod -func (this *OriginAuthenticationMethod) MarshalJSON() ([]byte, error) { - str, err := PolicyMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for OriginAuthenticationMethod -func (this *OriginAuthenticationMethod) UnmarshalJSON(b []byte) error { - return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for Policy -func (this *Policy) MarshalJSON() ([]byte, error) { - str, err := PolicyMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for Policy -func (this *Policy) UnmarshalJSON(b []byte) error { - return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for TargetSelector -func (this *TargetSelector) MarshalJSON() ([]byte, error) { - str, err := PolicyMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for TargetSelector -func (this *TargetSelector) UnmarshalJSON(b []byte) error { - return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for PortSelector -func (this *PortSelector) MarshalJSON() ([]byte, error) { - str, err := PolicyMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for PortSelector -func (this *PortSelector) UnmarshalJSON(b []byte) error { - return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -var ( - PolicyMarshaler = &jsonpb.Marshaler{} - PolicyUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} -) From a8e6d0c6232a83571910b952d94a9e73ba6a8775 Mon Sep 17 00:00:00 2001 From: John Howard Date: Wed, 27 Nov 2024 10:54:23 -0800 Subject: [PATCH 2/2] remove envoy filter too --- .../filter/http/authn/v2alpha1/config.pb.go | 242 ------------------ .../filter/http/authn/v2alpha1/config.proto | 60 ----- 2 files changed, 302 deletions(-) delete mode 100644 envoy/config/filter/http/authn/v2alpha1/config.pb.go delete mode 100644 envoy/config/filter/http/authn/v2alpha1/config.proto diff --git a/envoy/config/filter/http/authn/v2alpha1/config.pb.go b/envoy/config/filter/http/authn/v2alpha1/config.pb.go deleted file mode 100644 index 908e00cc88a..00000000000 --- a/envoy/config/filter/http/authn/v2alpha1/config.pb.go +++ /dev/null @@ -1,242 +0,0 @@ -// Copyright 2018 Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.35.2 -// protoc (unknown) -// source: envoy/config/filter/http/authn/v2alpha1/config.proto - -// $title: Internal API for authentication implementation on Envoy. - -package v2alpha1 - -import ( - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - v1alpha1 "istio.io/api/authentication/v1alpha1" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -// FilterConfig is the config for Istio-specific filter that is used to enforce -// authentication policy on Envoy. -type FilterConfig struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Policy is the original copy of the policy. - Policy *v1alpha1.Policy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` - // Map from issuer to location of the payload that is emitted by Jwt filter. - // This information is added by pilot when construct and add Jwt and - // authN filters. - JwtOutputPayloadLocations map[string]string `protobuf:"bytes,2,rep,name=jwt_output_payload_locations,json=jwtOutputPayloadLocations,proto3" json:"jwt_output_payload_locations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - // Skips validating the peer's trust domain. - // By default, the istio authn filter will reject the request if the peer and - // the local service is not in the same trust domain. - // Set this field to true to skip the validation and allows peers from any - // trust domains. - // Note, the istio authn filter only validates the trust domain when mTLS is - // used, In other words, this field has no effect for plaintext traffic. - // TODO(incfly): deprecate this after allowed_trust_domains is shipped. - SkipValidateTrustDomain bool `protobuf:"varint,3,opt,name=skip_validate_trust_domain,json=skipValidateTrustDomain,proto3" json:"skip_validate_trust_domain,omitempty"` - // allowed_trust_domains contains a list of trust domains the authn - // filter should validate against. When configured, only requests with a - // peer from one of the allowed trust domain will be admitted. - // An empty list means all trust domains are allowed. - // When this field is set, the skip_validate_trust_domain field is ignored. - // This field has no effect for plaintext traffic. - AllowedTrustDomains []string `protobuf:"bytes,4,rep,name=allowed_trust_domains,json=allowedTrustDomains,proto3" json:"allowed_trust_domains,omitempty"` - // By default the authn filter will clear the route cache so that the validated - // JWT token claims can be used in routing. - // Advanced users can set this to true to disable the behavior if they do not - // want the authn filter to clear the route cache for any reasons. - // Warning: setting this to true will break the JWT claim based routing. - DisableClearRouteCache bool `protobuf:"varint,5,opt,name=disable_clear_route_cache,json=disableClearRouteCache,proto3" json:"disable_clear_route_cache,omitempty"` -} - -func (x *FilterConfig) Reset() { - *x = FilterConfig{} - mi := &file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *FilterConfig) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*FilterConfig) ProtoMessage() {} - -func (x *FilterConfig) ProtoReflect() protoreflect.Message { - mi := &file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes[0] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use FilterConfig.ProtoReflect.Descriptor instead. -func (*FilterConfig) Descriptor() ([]byte, []int) { - return file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescGZIP(), []int{0} -} - -func (x *FilterConfig) GetPolicy() *v1alpha1.Policy { - if x != nil { - return x.Policy - } - return nil -} - -func (x *FilterConfig) GetJwtOutputPayloadLocations() map[string]string { - if x != nil { - return x.JwtOutputPayloadLocations - } - return nil -} - -func (x *FilterConfig) GetSkipValidateTrustDomain() bool { - if x != nil { - return x.SkipValidateTrustDomain - } - return false -} - -func (x *FilterConfig) GetAllowedTrustDomains() []string { - if x != nil { - return x.AllowedTrustDomains - } - return nil -} - -func (x *FilterConfig) GetDisableClearRouteCache() bool { - if x != nil { - return x.DisableClearRouteCache - } - return false -} - -var File_envoy_config_filter_http_authn_v2alpha1_config_proto protoreflect.FileDescriptor - -var file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc = []byte{ - 0x0a, 0x34, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66, - 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6e, - 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, - 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, - 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6e, 0x2e, 0x76, 0x32, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x24, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe5, 0x03, 0x0a, 0x0c, - 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3d, 0x0a, 0x06, - 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x9b, 0x01, 0x0a, 0x1c, - 0x6a, 0x77, 0x74, 0x5f, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f, - 0x61, 0x64, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x5a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, - 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, - 0x74, 0x74, 0x70, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x31, 0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, - 0x4a, 0x77, 0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, - 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x19, - 0x6a, 0x77, 0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, - 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x3b, 0x0a, 0x1a, 0x73, 0x6b, 0x69, - 0x70, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, - 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x17, 0x73, - 0x6b, 0x69, 0x70, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x72, 0x75, 0x73, 0x74, - 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, - 0x64, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, - 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x13, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x54, 0x72, - 0x75, 0x73, 0x74, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x39, 0x0a, 0x19, 0x64, 0x69, - 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x63, 0x6c, 0x65, 0x61, 0x72, 0x5f, 0x72, 0x6f, 0x75, 0x74, - 0x65, 0x5f, 0x63, 0x61, 0x63, 0x68, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x16, 0x64, - 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x52, 0x6f, 0x75, 0x74, 0x65, - 0x43, 0x61, 0x63, 0x68, 0x65, 0x1a, 0x4c, 0x0a, 0x1e, 0x4a, 0x77, 0x74, 0x4f, 0x75, 0x74, 0x70, - 0x75, 0x74, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, - 0x02, 0x38, 0x01, 0x42, 0x36, 0x5a, 0x34, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, - 0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x61, 0x75, 0x74, - 0x68, 0x6e, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x33, -} - -var ( - file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescOnce sync.Once - file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData = file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc -) - -func file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescGZIP() []byte { - file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescOnce.Do(func() { - file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData) - }) - return file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData -} - -var file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes = make([]protoimpl.MessageInfo, 2) -var file_envoy_config_filter_http_authn_v2alpha1_config_proto_goTypes = []any{ - (*FilterConfig)(nil), // 0: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig - nil, // 1: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.JwtOutputPayloadLocationsEntry - (*v1alpha1.Policy)(nil), // 2: istio.authentication.v1alpha1.Policy -} -var file_envoy_config_filter_http_authn_v2alpha1_config_proto_depIdxs = []int32{ - 2, // 0: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.policy:type_name -> istio.authentication.v1alpha1.Policy - 1, // 1: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.jwt_output_payload_locations:type_name -> istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.JwtOutputPayloadLocationsEntry - 2, // [2:2] is the sub-list for method output_type - 2, // [2:2] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name -} - -func init() { file_envoy_config_filter_http_authn_v2alpha1_config_proto_init() } -func file_envoy_config_filter_http_authn_v2alpha1_config_proto_init() { - if File_envoy_config_filter_http_authn_v2alpha1_config_proto != nil { - return - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc, - NumEnums: 0, - NumMessages: 2, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_envoy_config_filter_http_authn_v2alpha1_config_proto_goTypes, - DependencyIndexes: file_envoy_config_filter_http_authn_v2alpha1_config_proto_depIdxs, - MessageInfos: file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes, - }.Build() - File_envoy_config_filter_http_authn_v2alpha1_config_proto = out.File - file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc = nil - file_envoy_config_filter_http_authn_v2alpha1_config_proto_goTypes = nil - file_envoy_config_filter_http_authn_v2alpha1_config_proto_depIdxs = nil -} diff --git a/envoy/config/filter/http/authn/v2alpha1/config.proto b/envoy/config/filter/http/authn/v2alpha1/config.proto deleted file mode 100644 index 620dfa89132..00000000000 --- a/envoy/config/filter/http/authn/v2alpha1/config.proto +++ /dev/null @@ -1,60 +0,0 @@ -// Copyright 2018 Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -import "authentication/v1alpha1/policy.proto"; - -// $title: Internal API for authentication implementation on Envoy. - -package istio.envoy.config.filter.http.authn.v2alpha1; - -option go_package = "istio.io/api/envoy/config/filter/http/authn/v2alpha1"; - -// FilterConfig is the config for Istio-specific filter that is used to enforce -// authentication policy on Envoy. -message FilterConfig { - // Policy is the original copy of the policy. - istio.authentication.v1alpha1.Policy policy = 1; - - // Map from issuer to location of the payload that is emitted by Jwt filter. - // This information is added by pilot when construct and add Jwt and - // authN filters. - map jwt_output_payload_locations = 2; - - // Skips validating the peer's trust domain. - // By default, the istio authn filter will reject the request if the peer and - // the local service is not in the same trust domain. - // Set this field to true to skip the validation and allows peers from any - // trust domains. - // Note, the istio authn filter only validates the trust domain when mTLS is - // used, In other words, this field has no effect for plaintext traffic. - // TODO(incfly): deprecate this after allowed_trust_domains is shipped. - bool skip_validate_trust_domain = 3; - - // allowed_trust_domains contains a list of trust domains the authn - // filter should validate against. When configured, only requests with a - // peer from one of the allowed trust domain will be admitted. - // An empty list means all trust domains are allowed. - // When this field is set, the skip_validate_trust_domain field is ignored. - // This field has no effect for plaintext traffic. - repeated string allowed_trust_domains = 4; - - // By default the authn filter will clear the route cache so that the validated - // JWT token claims can be used in routing. - // Advanced users can set this to true to disable the behavior if they do not - // want the authn filter to clear the route cache for any reasons. - // Warning: setting this to true will break the JWT claim based routing. - bool disable_clear_route_cache = 5; -}