clarify in targetRef description only waypoint is supported as a

targeted resource

Signed-off-by: Jackie Elliott <[email protected]>

extensions/v1alpha1/wasm.proto

@@ -245,13 +245,14 @@ message WasmPlugin {
   istio.type.v1beta1.WorkloadSelector selector = 1;
 
   // $hide_from_docs
-  // Optional. The targetRef specifies the resource the policy should be 
+  // Optional. The targetRef specifies the waypoint the policy should be 
   // applied to. The targeted resource specified will determine which 
-  // workloads the WasmPlugin applies to. The resource must be in the
-  // same namespace as the policy.
+  // workloads the WasmPlugin applies to. The targeted resource must be 
+  // a waypoint. The waypoint must be in the same namespace as the policy.
   //
   // If the targetRef is not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRef can be set.
+  // Waypoint proxies will not respect selectors even if they match.
   istio.type.v1beta1.PolicyTargetReference targetRef = 15;
 
   // URL of a Wasm module or OCI container. If no scheme is present,

security/v1/authorization_policy.proto

@@ -472,10 +472,11 @@ message AuthorizationPolicy {
   istio.type.v1beta1.WorkloadSelector selector = 1;
 
   // $hide_from_docs
-  // Optional. The targetRef specifies the resource the policy should be 
+  // Optional. The targetRef specifies the waypoint the policy should be 
   // applied to. The targeted resource specified will determine which 
-  // workloads the authorization policy applies to. The resource must
-  // be in the same namespace as the authorization policy.
+  // workloads the authorization policy applies to. The targeted resource
+  // must be a waypoint. The waypoint must be in the same namespace as
+  // the authorization policy.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRef can be set.

security/v1/request_authentication.proto

@@ -447,13 +447,15 @@ message RequestAuthentication {
   istio.type.v1beta1.WorkloadSelector selector = 1;
 
   // $hide_from_docs
-  // Optional. The targetRef specifies the resource the policy should be 
+  // Optional. The targetRef specifies the waypoint the policy should be 
   // applied to. The targeted resource specified will determine which 
-  // workloads the request authentication policy to. The resource must
-  // be in the same namespace as the request authentication policy.
+  // workloads the request authentication policy to. The targeted resource
+  // must be a waypoint. The waypoint must be in the same namespace as the
+  // request authentication policy.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRef can be set.
+  // Waypoint proxies will not respect selectors even if they match.
   istio.type.v1beta1.PolicyTargetReference targetRef = 3;
 
   // Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token

security/v1beta1/authorization_policy.proto

@@ -472,10 +472,11 @@ message AuthorizationPolicy {
   istio.type.v1beta1.WorkloadSelector selector = 1;
 
   // $hide_from_docs
-  // Optional. The targetRef specifies the resource the policy should be 
+  // Optional. The targetRef specifies the waypoint the policy should be 
   // applied to. The targeted resource specified will determine which 
-  // workloads the authorization policy applies to. The resource must
-  // be in the same namespace as the authorization policy.
+  // workloads the authorization policy applies to. The targeted resource
+  // must be a waypoint. The waypoint must be in the same namespace as
+  // the authorization policy.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRef can be set.

security/v1beta1/request_authentication.proto

@@ -446,13 +446,15 @@ message RequestAuthentication {
   istio.type.v1beta1.WorkloadSelector selector = 1;
 
   // $hide_from_docs
-  // Optional. The targetRef specifies the resource the policy should be 
+  // Optional. The targetRef specifies the waypoint the policy should be 
   // applied to. The targeted resource specified will determine which 
-  // workloads the request authentication policy to. The resource must
-  // be in the same namespace as the request authentication policy.
+  // workloads the request authentication policy to. The targeted resource
+  // must be a waypoint. The waypoint must be in the same namespace as the
+  // request authentication policy.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRef can be set.
+  // Waypoint proxies will not respect selectors even if they match.
   istio.type.v1beta1.PolicyTargetReference targetRef = 3;
 
   // Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token

telemetry/v1alpha1/telemetry.proto

@@ -253,13 +253,15 @@ message Telemetry {
   istio.type.v1beta1.WorkloadSelector selector = 1;
 
   // $hide_from_docs
-  // Optional. The targetRef specifies the resource the policy should be 
+  // Optional. The targetRef specifies the waypoint the policy should be 
   // applied to. The targeted resource specified will determine which 
-  // workloads the telemetry policy applies to. The resource must be in the
-  // same namespace as the Telemetry policy.
+  // workloads the telemetry policy applies to. The targeted resource
+  // must be a waypoint. The resource must be in the same namespace as
+  // the Telemetry policy.
   //
   // If not set, the policy is applied as defined by the selector.
   // At most one of the selector and targetRef can be set.
+  // Waypoint proxies will not respect selectors even if they match.
   istio.type.v1beta1.PolicyTargetReference targetRef = 5;
 
   // Optional. Tracing configures the tracing behavior for all