Define targetRef proto (#2888)

* Define protobuf for PolicyTargetReference Signed-off-by: Jackie Elliott <[email protected]> * Add targetRef to AuthorizationPolicy, Telemetry, WasmPlugin, ProxyConfig, and RequestAuthentication. Need more examples. Signed-off-by: Jackie Elliott <[email protected]> * Add examples Signed-off-by: Jackie Elliott <[email protected]> * Moved targetRef def to selector.proto. Removed kubebuilder comments. Added release note for targetRef. Signed-off-by: Jackie Elliott <[email protected]> * Add oneof to CRD protos. Add clarifying comments about intended use of taretRef. Signed-off-by: Jackie Elliott <[email protected]> * Remove targetRef from ProxyConfig Signed-off-by: Jackie Elliott <[email protected]> * Removed root namespace references and ingress gateway targetRef examples. Signed-off-by: Jackie Elliott <[email protected]> * Hide API changes from docs and remove examples until impl is complete Signed-off-by: Jackie Elliott <[email protected]> * Remove telemtry example until impl complete Signed-off-by: Jackie Elliott <[email protected]> * add clarification resource must be in same ns as policy and add oneof to wasm plugin. Signed-off-by: Jackie Elliott <[email protected]> * Remove oneof in to avoid go changes. Signed-off-by: Jackie Elliott <[email protected]> * update release note to clarify scope is limited to waypoints Signed-off-by: Jackie Elliott <[email protected]> * Update authorizationPolicy selector comment Signed-off-by: Jackie Elliott <[email protected]> * clarify in targetRef description only waypoint is supported as a targeted resource Signed-off-by: Jackie Elliott <[email protected]> * add k8s gateway references Signed-off-by: Jackie Elliott <[email protected]> * Respond to PR feedback and add selector example. Signed-off-by: Jackie Elliott <[email protected]> * Address nits Signed-off-by: Jackie Elliott <[email protected]> --------- Signed-off-by: Jackie Elliott <[email protected]>
istio · Sep 5, 2023 · 283cc40 · 283cc40
1 parent 56a12e0
commit 283cc40
Show file tree

Hide file tree

Showing 23 changed files with 1,225 additions and 605 deletions.
diff --git a/extensions/v1alpha1/wasm.pb.go b/extensions/v1alpha1/wasm.pb.go
diff --git a/extensions/v1alpha1/wasm.pb.html b/extensions/v1alpha1/wasm.pb.html
diff --git a/extensions/v1alpha1/wasm.proto b/extensions/v1alpha1/wasm.proto
@@ -240,8 +240,22 @@ message WasmPlugin {
   // namespace. If the `WasmPlugin` is present in the config root
   // namespace, it will be applied to all applicable workloads in any
   // namespace.
+  //
+  // At most one of the selector and targetRef can be set.
   istio.type.v1beta1.WorkloadSelector selector = 1;
 
+  // $hide_from_docs
+  // Optional. The targetRef specifies the gateway the policy should be 
+  // applied to. The targeted resource specified will determine which 
+  // workloads the WasmPlugin applies to. The targeted resource must be 
+  // a `Gateway` in the group `gateway.networking.k8s.io`. The gateway
+  // must be in the same namespace as the policy.
+  //
+  // If the `targetRef` is not set, the policy is applied as defined by the selector.
+  // At most one of the selector and targetRef can be set.
+  // Waypoint proxies will not respect selectors even if they match.
+  istio.type.v1beta1.PolicyTargetReference targetRef = 15;
+
   // URL of a Wasm module or OCI container. If no scheme is present,
   // defaults to `oci://`, referencing an OCI image. Other valid schemes
   // are `file://` for referencing .wasm module files present locally

diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml
diff --git a/proto.lock b/proto.lock
@@ -36539,6 +36539,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 15,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "url",
@@ -46818,6 +46823,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 5,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "rules",
@@ -47188,6 +47198,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 3,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "jwt_rules",
@@ -47314,6 +47329,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 5,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "rules",
@@ -47764,6 +47784,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 3,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "jwt_rules",
@@ -47918,6 +47943,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 5,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "tracing",
@@ -48279,6 +48309,31 @@
                 "type": "uint32"
               }
             ]
+          },
+          {
+            "name": "PolicyTargetReference",
+            "fields": [
+              {
+                "id": 1,
+                "name": "group",
+                "type": "string"
+              },
+              {
+                "id": 2,
+                "name": "kind",
+                "type": "string"
+              },
+              {
+                "id": 3,
+                "name": "name",
+                "type": "string"
+              },
+              {
+                "id": 4,
+                "name": "namespace",
+                "type": "string"
+              }
+            ]
           }
         ],
         "imports": [

diff --git a/releasenotes/notes/target-ref.yaml b/releasenotes/notes/target-ref.yaml
@@ -0,0 +1,12 @@
+apiVersion: release-notes/v2
+kind: feature
+area: traffic-management
+issue:
+  - https://github.com/istio/api/issues/2885
+
+releaseNotes:
+  - |
+    **Added** PolicyTargetReference definition to be used in the RequestAuthentication, AuthorizationPolicy, Telemetry, and WasmPlugin CRDs to target k8s gateways.
+
+docs:
+  - https://docs.google.com/document/d/1MaMdyIQdOwq7mGCVMYW56FED9HrkJa93Nd0S0zBwws4/edit?usp=sharing