diff --git a/go.mod b/go.mod index 436b4a2747..596cbb3e75 100644 --- a/go.mod +++ b/go.mod @@ -7,8 +7,8 @@ require ( go.uber.org/zap v1.26.0 golang.org/x/sync v0.6.0 google.golang.org/protobuf v1.32.0 - istio.io/api v1.20.0 - istio.io/client-go v1.20.0 + istio.io/api v1.20.2 + istio.io/client-go v1.20.2 k8s.io/api v0.28.5 k8s.io/apimachinery v0.28.5 k8s.io/client-go v0.28.5 diff --git a/go.sum b/go.sum index 7a65285c63..552a29c5ba 100644 --- a/go.sum +++ b/go.sum @@ -666,10 +666,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -istio.io/api v1.20.0 h1:heE1eQoMsuZlwWOf7Xm8TKqKLNKVs11G/zMe5QyR1u4= -istio.io/api v1.20.0/go.mod h1:hm1PE/mGdIAsjCDkTIAplP53H7TjO5LUQCiVvF26SVg= -istio.io/client-go v1.20.0 h1:TSSv6A4sYvuBtoKOwyuRmBmPwSb4s++lWlh7RB7+7gY= -istio.io/client-go v1.20.0/go.mod h1:6D76gZsdjz8JtVeIarUYdOn3WA8Zh+j8fIv2+2K3M+Q= +istio.io/api v1.20.2 h1:VjkJB1EfrZt77bcavr1P/3PrO8AP3lOSQsYiYOnGGBU= +istio.io/api v1.20.2/go.mod h1:hm1PE/mGdIAsjCDkTIAplP53H7TjO5LUQCiVvF26SVg= +istio.io/client-go v1.20.2 h1:FL99qw5f5W+QFPHutLpGOoPmoKgLwNFrGCEemAvLm00= +istio.io/client-go v1.20.2/go.mod h1:mub0nwPDAj98cjns7KYLzbvDk0Fg9rx0k2o+KZ4UIUY= k8s.io/api v0.28.5 h1:XIPNr3nBgTEaCdEiwZ+dXaO9SB4NeTOZ2pNDRrFgfb4= k8s.io/api v0.28.5/go.mod h1:98zkTCc60iSnqqCIyCB1GI7PYDiRDYTSfL0PRIxpM4c= k8s.io/apiextensions-apiserver v0.28.5 h1:YKW9O9T/0Gkyl6LTFDLIhCbouSRh+pHt2vMLB38Snfc= diff --git a/hack/update-k8s-deps.sh b/hack/update-k8s-deps.sh deleted file mode 120000 index 855973af41..0000000000 --- a/hack/update-k8s-deps.sh +++ /dev/null @@ -1 +0,0 @@ -../vendor/knative.dev/pkg/hack/update-k8s-deps.sh \ No newline at end of file diff --git a/third_party/istio-latest/generate-manifests.sh b/third_party/istio-latest/generate-manifests.sh index 4cf36dc591..11e14e637d 100755 --- a/third_party/istio-latest/generate-manifests.sh +++ b/third_party/istio-latest/generate-manifests.sh @@ -16,4 +16,4 @@ source "$(dirname $0)/../library.sh" -generate "1.20.0" "$(dirname $0)" +generate "1.20.2" "$(dirname $0)" diff --git a/third_party/istio-latest/istio-ci-ambient/istio.yaml b/third_party/istio-latest/istio-ci-ambient/istio.yaml index cca61e8d15..9153cca704 100644 --- a/third_party/istio-latest/istio-ci-ambient/istio.yaml +++ b/third_party/istio-latest/istio-ci-ambient/istio.yaml @@ -85,31 +85,48 @@ metadata: istio.io/rev: default operator.istio.io/component: Cni release: istio - name: istio-cni-repair-role + name: istio-cni-ambient rules: - apiGroups: - "" resources: - - pods + - pods/status verbs: - - get - - list - - watch - - delete - patch - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: istio-cni + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Cni + release: istio + name: istio-cni-repair-role +rules: - apiGroups: - "" resources: - events verbs: + - create + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - watch - get - list - - watch + - apiGroups: + - "" + resources: + - pods + verbs: - delete - - patch - - update - - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -466,6 +483,24 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + k8s-app: istio-cni-repair + operator.istio.io/component: Cni + name: istio-cni-ambient +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni-ambient +subjects: + - kind: ServiceAccount + name: istio-cni + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: install.operator.istio.io/owning-resource: unknown @@ -828,14 +863,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -1023,14 +1063,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -1607,7 +1652,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -1645,7 +1690,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2191,7 +2236,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2229,7 +2274,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2827,7 +2872,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2865,7 +2910,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3411,7 +3456,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3449,7 +3494,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -4344,14 +4389,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -4442,14 +4492,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -5587,14 +5642,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object tracing: @@ -7467,14 +7527,19 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: @@ -9911,7 +9976,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.20.0", + "tag": "1.20.2", "tracer": { "datadog": {}, "lightstep": {}, @@ -10061,7 +10126,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.20.0 + image: docker.io/istio/proxyv2:1.20.2 name: istio-proxy ports: - containerPort: 15021 @@ -10265,7 +10330,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.20.0-distroless + image: docker.io/istio/pilot:1.20.2-distroless name: discovery ports: - containerPort: 8080 @@ -10713,9 +10778,11 @@ spec: fieldRef: fieldPath: spec.nodeName - name: REPAIR_LABEL_PODS - value: "true" + value: "false" - name: REPAIR_DELETE_PODS value: "true" + - name: REPAIR_REPAIR_PODS + value: "false" - name: REPAIR_RUN_AS_DAEMON value: "true" - name: REPAIR_SIDECAR_ANNOTATION @@ -10743,7 +10810,7 @@ spec: valueFrom: resourceFieldRef: resource: limits.cpu - image: docker.io/istio/install-cni:1.20.0 + image: docker.io/istio/install-cni:1.20.2 name: install-cni readinessProbe: httpGet: @@ -10859,7 +10926,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.serviceAccountName - image: docker.io/istio/ztunnel:1.20.0-distroless + image: docker.io/istio/ztunnel:1.20.2-distroless name: istio-proxy ports: - containerPort: 15020 diff --git a/third_party/istio-latest/istio-ci-mesh/istio.yaml b/third_party/istio-latest/istio-ci-mesh/istio.yaml index d9ecd8d89c..74f10b69ef 100644 --- a/third_party/istio-latest/istio-ci-mesh/istio.yaml +++ b/third_party/istio-latest/istio-ci-mesh/istio.yaml @@ -714,14 +714,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -909,14 +914,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -1493,7 +1503,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -1531,7 +1541,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2077,7 +2087,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2115,7 +2125,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2713,7 +2723,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2751,7 +2761,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3297,7 +3307,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3335,7 +3345,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -4230,14 +4240,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -4328,14 +4343,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -5473,14 +5493,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object tracing: @@ -7353,14 +7378,19 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: @@ -9767,7 +9797,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.20.0", + "tag": "1.20.2", "tracer": { "datadog": {}, "lightstep": {}, @@ -9915,7 +9945,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.20.0 + image: docker.io/istio/proxyv2:1.20.2 name: istio-proxy ports: - containerPort: 15021 @@ -10109,7 +10139,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.20.0 + image: docker.io/istio/pilot:1.20.2 name: discovery ports: - containerPort: 8080 diff --git a/third_party/istio-latest/istio-ci-no-mesh/istio.yaml b/third_party/istio-latest/istio-ci-no-mesh/istio.yaml index f87b1697bb..151532ba2f 100644 --- a/third_party/istio-latest/istio-ci-no-mesh/istio.yaml +++ b/third_party/istio-latest/istio-ci-no-mesh/istio.yaml @@ -714,14 +714,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -909,14 +914,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -1493,7 +1503,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -1531,7 +1541,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2077,7 +2087,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2115,7 +2125,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2713,7 +2723,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2751,7 +2761,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3297,7 +3307,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3335,7 +3345,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -4230,14 +4240,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -4328,14 +4343,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -5473,14 +5493,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object tracing: @@ -7353,14 +7378,19 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: @@ -9767,7 +9797,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.20.0", + "tag": "1.20.2", "tracer": { "datadog": {}, "lightstep": {}, @@ -9915,7 +9945,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.20.0 + image: docker.io/istio/proxyv2:1.20.2 name: istio-proxy ports: - containerPort: 15021 @@ -10109,7 +10139,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.20.0 + image: docker.io/istio/pilot:1.20.2 name: discovery ports: - containerPort: 8080 diff --git a/third_party/istio-latest/istio-kind-ambient/istio.yaml b/third_party/istio-latest/istio-kind-ambient/istio.yaml index db45389e48..cdfafef584 100644 --- a/third_party/istio-latest/istio-kind-ambient/istio.yaml +++ b/third_party/istio-latest/istio-kind-ambient/istio.yaml @@ -85,31 +85,48 @@ metadata: istio.io/rev: default operator.istio.io/component: Cni release: istio - name: istio-cni-repair-role + name: istio-cni-ambient rules: - apiGroups: - "" resources: - - pods + - pods/status verbs: - - get - - list - - watch - - delete - patch - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: istio-cni + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: Cni + release: istio + name: istio-cni-repair-role +rules: - apiGroups: - "" resources: - events verbs: + - create + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - watch - get - list - - watch + - apiGroups: + - "" + resources: + - pods + verbs: - delete - - patch - - update - - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -466,6 +483,24 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + k8s-app: istio-cni-repair + operator.istio.io/component: Cni + name: istio-cni-ambient +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni-ambient +subjects: + - kind: ServiceAccount + name: istio-cni + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: install.operator.istio.io/owning-resource: unknown @@ -828,14 +863,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -1023,14 +1063,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -1607,7 +1652,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -1645,7 +1690,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2191,7 +2236,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2229,7 +2274,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2827,7 +2872,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2865,7 +2910,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3411,7 +3456,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3449,7 +3494,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -4344,14 +4389,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -4442,14 +4492,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -5587,14 +5642,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object tracing: @@ -7467,14 +7527,19 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: @@ -9911,7 +9976,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.20.0", + "tag": "1.20.2", "tracer": { "datadog": {}, "lightstep": {}, @@ -10061,7 +10126,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.20.0 + image: docker.io/istio/proxyv2:1.20.2 name: istio-proxy ports: - containerPort: 15021 @@ -10265,7 +10330,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.20.0-distroless + image: docker.io/istio/pilot:1.20.2-distroless name: discovery ports: - containerPort: 8080 @@ -10713,9 +10778,11 @@ spec: fieldRef: fieldPath: spec.nodeName - name: REPAIR_LABEL_PODS - value: "true" + value: "false" - name: REPAIR_DELETE_PODS value: "true" + - name: REPAIR_REPAIR_PODS + value: "false" - name: REPAIR_RUN_AS_DAEMON value: "true" - name: REPAIR_SIDECAR_ANNOTATION @@ -10743,7 +10810,7 @@ spec: valueFrom: resourceFieldRef: resource: limits.cpu - image: docker.io/istio/install-cni:1.20.0 + image: docker.io/istio/install-cni:1.20.2 name: install-cni readinessProbe: httpGet: @@ -10859,7 +10926,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.serviceAccountName - image: docker.io/istio/ztunnel:1.20.0-distroless + image: docker.io/istio/ztunnel:1.20.2-distroless name: istio-proxy ports: - containerPort: 15020 diff --git a/third_party/istio-latest/istio-kind-no-mesh/istio.yaml b/third_party/istio-latest/istio-kind-no-mesh/istio.yaml index 6b7c8d2bc4..d6dbb0cf73 100644 --- a/third_party/istio-latest/istio-kind-no-mesh/istio.yaml +++ b/third_party/istio-latest/istio-kind-no-mesh/istio.yaml @@ -714,14 +714,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -909,14 +914,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -1493,7 +1503,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -1531,7 +1541,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2077,7 +2087,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2115,7 +2125,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2713,7 +2723,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -2751,7 +2761,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3297,7 +3307,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -3335,7 +3345,7 @@ spec: description: The name of the secret that holds the TLS certs for the client including the CA certificates. type: string insecureSkipVerify: - description: InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. + description: '`insecureSkipVerify` specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host.' nullable: true type: boolean mode: @@ -4230,14 +4240,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -4328,14 +4343,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: object @@ -5473,14 +5493,19 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object tracing: @@ -7353,14 +7378,19 @@ spec: pattern: (^$|^[a-f0-9]{64}$) type: string targetRef: + description: Optional. properties: group: + description: group is the group of the target resource. type: string kind: + description: kind is kind of the target resource. type: string name: + description: name is the name of the target resource. type: string namespace: + description: namespace is the namespace of the referent. type: string type: object type: @@ -9767,7 +9797,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.20.0", + "tag": "1.20.2", "tracer": { "datadog": {}, "lightstep": {}, @@ -9915,7 +9945,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.20.0 + image: docker.io/istio/proxyv2:1.20.2 name: istio-proxy ports: - containerPort: 15021 @@ -10109,7 +10139,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.20.0 + image: docker.io/istio/pilot:1.20.2 name: discovery ports: - containerPort: 8080 diff --git a/vendor/istio.io/api/networking/v1beta1/destination_rule.pb.go b/vendor/istio.io/api/networking/v1beta1/destination_rule.pb.go index ededd17515..4dd5f8e61b 100644 --- a/vendor/istio.io/api/networking/v1beta1/destination_rule.pb.go +++ b/vendor/istio.io/api/networking/v1beta1/destination_rule.pb.go @@ -1515,16 +1515,16 @@ type ClientTLSSettings struct { // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` // environmental variable is set to `true`. Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"` - // InsecureSkipVerify specifies whether the proxy should skip verifying the + // `insecureSkipVerify` specifies whether the proxy should skip verifying the // CA signature and SAN for the server certificate corresponding to the host. // This flag should only be set if global CA signature verification is - // enabled, `VerifyCertAtClient` environmental variable is set to `true`, + // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, // but no verification is desired for a specific host. If enabled with or - // without `VerifyCertAtClient` enabled, verification of the CA signature and + // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and // SAN will be skipped. // - // `InsecureSkipVerify` is `false` by default. - // `VerifyCertAtClient` is `false` by default in Istio version 1.9 but will + // `insecureSkipVerify` is `false` by default. + // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will // be `true` by default in a later version where, going forward, it will be // enabled by default. InsecureSkipVerify *wrappers.BoolValue `protobuf:"bytes,8,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"` diff --git a/vendor/istio.io/api/networking/v1beta1/destination_rule.proto b/vendor/istio.io/api/networking/v1beta1/destination_rule.proto index 73f092329e..60906259f5 100644 --- a/vendor/istio.io/api/networking/v1beta1/destination_rule.proto +++ b/vendor/istio.io/api/networking/v1beta1/destination_rule.proto @@ -1079,16 +1079,16 @@ message ClientTLSSettings { // environmental variable is set to `true`. string sni = 6; - // InsecureSkipVerify specifies whether the proxy should skip verifying the + // `insecureSkipVerify` specifies whether the proxy should skip verifying the // CA signature and SAN for the server certificate corresponding to the host. // This flag should only be set if global CA signature verification is - // enabled, `VerifyCertAtClient` environmental variable is set to `true`, + // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`, // but no verification is desired for a specific host. If enabled with or - // without `VerifyCertAtClient` enabled, verification of the CA signature and + // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and // SAN will be skipped. // - // `InsecureSkipVerify` is `false` by default. - // `VerifyCertAtClient` is `false` by default in Istio version 1.9 but will + // `insecureSkipVerify` is `false` by default. + // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will // be `true` by default in a later version where, going forward, it will be // enabled by default. google.protobuf.BoolValue insecure_skip_verify = 8; diff --git a/vendor/istio.io/api/networking/v1beta1/gateway.pb.go b/vendor/istio.io/api/networking/v1beta1/gateway.pb.go index 69430d06a2..e0f314b00f 100644 --- a/vendor/istio.io/api/networking/v1beta1/gateway.pb.go +++ b/vendor/istio.io/api/networking/v1beta1/gateway.pb.go @@ -913,7 +913,7 @@ type Port struct { // A valid non-negative integer port number. Number uint32 `protobuf:"varint,1,opt,name=number,proto3" json:"number,omitempty"` // The protocol exposed on the port. - // MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. + // MUST BE one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS. // TLS can be either used to terminate non-HTTP based connections on a specific port // or to route traffic based on SNI header to the destination without terminating the TLS connection. Protocol string `protobuf:"bytes,2,opt,name=protocol,proto3" json:"protocol,omitempty"` @@ -1013,7 +1013,8 @@ type ServerTLSSettings struct { // For gateways running on Kubernetes, the name of the secret that // holds the TLS certs including the CA certificates. Applicable // only on Kubernetes. An Opaque secret should contain the following - // keys and values: `key: ` and `cert: `. + // keys and values: `tls.key: ` and `tls.crt: ` or + // `key: ` and `cert: `. // For mutual TLS, `cacert: ` and `crl: ` // can be provided in the same secret or a separate secret named `-cacert`. // A TLS secret for server certificates with an additional `tls.ocsp-staple` key diff --git a/vendor/istio.io/api/networking/v1beta1/gateway.proto b/vendor/istio.io/api/networking/v1beta1/gateway.proto index 2b3bcf7155..10ab056791 100644 --- a/vendor/istio.io/api/networking/v1beta1/gateway.proto +++ b/vendor/istio.io/api/networking/v1beta1/gateway.proto @@ -597,7 +597,7 @@ message Port { uint32 number = 1 [(google.api.field_behavior) = REQUIRED]; // The protocol exposed on the port. - // MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. + // MUST BE one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS. // TLS can be either used to terminate non-HTTP based connections on a specific port // or to route traffic based on SNI header to the destination without terminating the TLS connection. string protocol = 2 [(google.api.field_behavior) = REQUIRED]; @@ -684,7 +684,8 @@ message ServerTLSSettings { // For gateways running on Kubernetes, the name of the secret that // holds the TLS certs including the CA certificates. Applicable // only on Kubernetes. An Opaque secret should contain the following - // keys and values: `key: ` and `cert: `. + // keys and values: `tls.key: ` and `tls.crt: ` or + // `key: ` and `cert: `. // For mutual TLS, `cacert: ` and `crl: ` // can be provided in the same secret or a separate secret named `-cacert`. // A TLS secret for server certificates with an additional `tls.ocsp-staple` key diff --git a/vendor/istio.io/api/type/v1beta1/selector.pb.go b/vendor/istio.io/api/type/v1beta1/selector.pb.go index 17f45ab852..5cd9dd8915 100644 --- a/vendor/istio.io/api/type/v1beta1/selector.pb.go +++ b/vendor/istio.io/api/type/v1beta1/selector.pb.go @@ -213,7 +213,6 @@ func (x *PortSelector) GetNumber() uint32 { return 0 } -// $hide_from_docs // PolicyTargetReference format as defined by [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api). // // PolicyTargetReferences specifies the targeted resource which the policy @@ -259,16 +258,12 @@ type PolicyTargetReference struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // $hide_from_docs // group is the group of the target resource. Group string `protobuf:"bytes,1,opt,name=group,proto3" json:"group,omitempty"` - // $hide_from_docs // kind is kind of the target resource. Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` - // $hide_from_docs // name is the name of the target resource. Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"` - // $hide_from_docs // namespace is the namespace of the referent. When unspecified, the local // namespace is inferred. Namespace string `protobuf:"bytes,4,opt,name=namespace,proto3" json:"namespace,omitempty"` diff --git a/vendor/istio.io/api/type/v1beta1/selector.pb.html b/vendor/istio.io/api/type/v1beta1/selector.pb.html index b4315a9b16..cc075d081c 100644 --- a/vendor/istio.io/api/type/v1beta1/selector.pb.html +++ b/vendor/istio.io/api/type/v1beta1/selector.pb.html @@ -4,7 +4,7 @@ location: https://istio.io/docs/reference/config/type/workload-selector.html layout: protoc-gen-docs generator: protoc-gen-docs -number_of_entries: 3 +number_of_entries: 4 ---

WorkloadSelector

@@ -70,6 +70,99 @@

PortSelector

+

PolicyTargetReference

+
+

PolicyTargetReference format as defined by GEP-713.

+

PolicyTargetReferences specifies the targeted resource which the policy +can be applied to. It must only target a single resource at a time, but it +can be used to target larger resources such as Gateways that may apply to +multiple child resources. The PolicyTargetReference will be used instead of +a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy, +Telemetry, and WasmPlugin CRDs to target a Kubernetes Gateway.

+

The following is an example of an AuthorizationPolicy bound to a waypoint proxy using +a PolicyTargetReference. The example sets action to DENY to create a deny policy. +It denies all the requests with POST method on port 8080 directed through the +waypoint Gateway in the foo namespace.

+

{{}} +{{}}

+
apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: httpbin
+  namespace: foo
+spec:
+  targetRef:
+    name: waypoint
+    kind: Gateway
+    group: gateway.networking.k8s.io
+  action: DENY
+  rules:
+  - to:
+    - operation:
+        methods: ["POST"]
+        ports: ["8080"]
+
+

{{}} +{{}}

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescriptionRequired
groupstring +

group is the group of the target resource.

+ +		 +No +
kindstring +

kind is kind of the target resource.

+ +		 +No +
namestring +

name is the name of the target resource.

+ +		 +No +
namespacestring +

namespace is the namespace of the referent. When unspecified, the local +namespace is inferred.

+ +		 +No +
+

WorkloadMode

WorkloadMode allows selection of the role of the underlying workload in diff --git a/vendor/istio.io/api/type/v1beta1/selector.proto b/vendor/istio.io/api/type/v1beta1/selector.proto index 346aed3347..222dbf06a8 100644 --- a/vendor/istio.io/api/type/v1beta1/selector.proto +++ b/vendor/istio.io/api/type/v1beta1/selector.proto @@ -69,7 +69,6 @@ enum WorkloadMode { CLIENT_AND_SERVER = 3; } -// $hide_from_docs // PolicyTargetReference format as defined by [GEP-713](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api). // // PolicyTargetReferences specifies the targeted resource which the policy @@ -107,19 +106,15 @@ enum WorkloadMode { // {{}} // {{}} message PolicyTargetReference { - // $hide_from_docs // group is the group of the target resource. string group = 1; - // $hide_from_docs // kind is kind of the target resource. string kind = 2; - // $hide_from_docs // name is the name of the target resource. string name = 3; - // $hide_from_docs // namespace is the namespace of the referent. When unspecified, the local // namespace is inferred. string namespace = 4; diff --git a/vendor/modules.txt b/vendor/modules.txt index 35e6512b1c..ecf52c85b5 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -403,14 +403,14 @@ gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# istio.io/api v1.20.0 +# istio.io/api v1.20.2 ## explicit; go 1.18 istio.io/api/analysis/v1alpha1 istio.io/api/label istio.io/api/meta/v1alpha1 istio.io/api/networking/v1beta1 istio.io/api/type/v1beta1 -# istio.io/client-go v1.20.0 +# istio.io/client-go v1.20.2 ## explicit; go 1.18 istio.io/client-go/pkg/apis/networking/v1beta1 # k8s.io/api v0.28.5