From a8d6d78427a693a08687da72bbcd898c092dd64e Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Mon, 4 Feb 2019 14:22:04 -0800 Subject: [PATCH 1/7] Add service_accounts field in ServiceEntry --- .../istio.networking.v1alpha3.pb.html | 9 ++ networking/v1alpha3/service_entry.pb.go | 125 +++++++++++++----- networking/v1alpha3/service_entry.proto | 4 + .../networking/v1alpha3/service_entry_pb2.py | 31 +++-- 4 files changed, 125 insertions(+), 44 deletions(-) diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html index e83d3b10fc..ba48961a2a 100644 --- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html +++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html @@ -3465,6 +3465,15 @@

ServiceEntry

One or more endpoints associated with the service.

+ + + +serviceAccounts +string[] + +

The reunion of service accounts associated with workloads +backing this service

+ diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index b1125abe5f..a92d0304ee 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -433,6 +433,9 @@ type ServiceEntry struct { // the annotation "networking.istio.io/export_to" to a comma-separated list // of namespace names. ExportTo []string `protobuf:"bytes,7,rep,name=export_to,json=exportTo" json:"export_to,omitempty"` + // The reunion of service accounts associated with workloads + // backing this service + ServiceAccounts []string `protobuf:"bytes,8,rep,name=service_accounts,json=serviceAccounts" json:"service_accounts,omitempty"` } func (m *ServiceEntry) Reset() { *m = ServiceEntry{} } @@ -489,6 +492,13 @@ func (m *ServiceEntry) GetExportTo() []string { return nil } +func (m *ServiceEntry) GetServiceAccounts() []string { + if m != nil { + return m.ServiceAccounts + } + return nil +} + // Endpoint defines a network address (IP or hostname) associated with // the mesh service. type ServiceEntry_Endpoint struct { @@ -684,6 +694,21 @@ func (m *ServiceEntry) MarshalTo(dAtA []byte) (int, error) { i += copy(dAtA[i:], s) } } + if len(m.ServiceAccounts) > 0 { + for _, s := range m.ServiceAccounts { + dAtA[i] = 0x42 + i++ + l = len(s) + for l >= 1<<7 { + dAtA[i] = uint8(uint64(l)&0x7f | 0x80) + l >>= 7 + i++ + } + dAtA[i] = uint8(l) + i++ + i += copy(dAtA[i:], s) + } + } return i, nil } @@ -809,6 +834,12 @@ func (m *ServiceEntry) Size() (n int) { n += 1 + l + sovServiceEntry(uint64(l)) } } + if len(m.ServiceAccounts) > 0 { + for _, s := range m.ServiceAccounts { + l = len(s) + n += 1 + l + sovServiceEntry(uint64(l)) + } + } return n } @@ -1078,6 +1109,35 @@ func (m *ServiceEntry) Unmarshal(dAtA []byte) error { } m.ExportTo = append(m.ExportTo, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 8: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccounts", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceEntry + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthServiceEntry + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ServiceAccounts = append(m.ServiceAccounts, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipServiceEntry(dAtA[iNdEx:]) @@ -1588,37 +1648,38 @@ var ( func init() { proto.RegisterFile("networking/v1alpha3/service_entry.proto", fileDescriptorServiceEntry) } var fileDescriptorServiceEntry = []byte{ - // 497 bytes of a gzipped FileDescriptorProto + // 517 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x93, 0xdf, 0x6e, 0xd3, 0x30, - 0x14, 0xc6, 0xe7, 0x66, 0x4b, 0x93, 0x33, 0x86, 0x82, 0x85, 0x90, 0x09, 0xa8, 0x84, 0xde, 0x10, - 0x09, 0x29, 0x1d, 0x9d, 0x90, 0xc6, 0x9f, 0x9b, 0x01, 0x91, 0x98, 0x54, 0x02, 0xb8, 0xb9, 0x40, - 0xdc, 0x54, 0xd9, 0x6a, 0xb5, 0xd6, 0xa2, 0x38, 0x8a, 0xbd, 0x96, 0xbe, 0x05, 0x8f, 0xc5, 0x25, - 0x8f, 0x80, 0xfa, 0x18, 0x5c, 0xa1, 0x38, 0x49, 0xd3, 0x8b, 0x01, 0xdb, 0x5d, 0xce, 0x89, 0xbf, - 0x9f, 0x3e, 0x9f, 0xef, 0x18, 0x9e, 0x64, 0x4c, 0x2d, 0x45, 0x71, 0xc1, 0xb3, 0xd9, 0x60, 0xf1, - 0x2c, 0x49, 0xf3, 0x79, 0x72, 0x34, 0x90, 0xac, 0x58, 0xf0, 0x73, 0x36, 0x61, 0x99, 0x2a, 0x56, - 0x41, 0x5e, 0x08, 0x25, 0xf0, 0x7d, 0x2e, 0x15, 0x17, 0x41, 0x7b, 0x3c, 0x68, 0x8e, 0xbb, 0x8f, - 0xaf, 0x62, 0xcc, 0x12, 0xc5, 0x96, 0x49, 0xad, 0xee, 0xff, 0x36, 0xe1, 0xd6, 0xb8, 0xa2, 0x86, - 0x25, 0x14, 0xdf, 0x85, 0xbd, 0xb9, 0x90, 0x4a, 0x12, 0xe4, 0x19, 0xbe, 0x4d, 0xab, 0x02, 0x3f, - 0x04, 0x3b, 0x99, 0x4e, 0x0b, 0x26, 0x25, 0x93, 0xa4, 0xa3, 0xff, 0xb4, 0x0d, 0xfc, 0x1c, 0xf6, - 0x72, 0x51, 0x28, 0x49, 0x0c, 0xcf, 0xf0, 0xf7, 0x87, 0x8f, 0x82, 0xbf, 0x5a, 0x0a, 0x3e, 0x89, - 0x42, 0xd1, 0xea, 0x34, 0x1e, 0x81, 0x95, 0x8a, 0xf3, 0x44, 0x71, 0x91, 0x91, 0x5d, 0x0f, 0xf9, - 0xb7, 0x87, 0x87, 0xff, 0x50, 0x6e, 0xbb, 0x0c, 0x46, 0xb5, 0x8e, 0x6e, 0x08, 0x98, 0x02, 0x14, - 0x4c, 0x8a, 0xf4, 0x52, 0xf3, 0xf6, 0x34, 0x6f, 0x78, 0x5d, 0x1e, 0xdd, 0x28, 0xe9, 0x16, 0x05, - 0x47, 0x60, 0xb3, 0x6c, 0x9a, 0x0b, 0x9e, 0x29, 0x49, 0x4c, 0x7d, 0xb9, 0x6b, 0x5b, 0x0c, 0x6b, - 0x21, 0x6d, 0x11, 0xf8, 0x01, 0xd8, 0xec, 0x5b, 0x79, 0xf9, 0x89, 0x12, 0xa4, 0xab, 0xc7, 0x68, - 0x55, 0x8d, 0x58, 0xb8, 0xdf, 0x0d, 0xb0, 0x1a, 0x11, 0x26, 0xd0, 0xad, 0xe7, 0x4b, 0x90, 0x87, - 0x7c, 0x9b, 0x36, 0x25, 0xfe, 0xdc, 0x0c, 0xbb, 0xa3, 0xfd, 0xbc, 0xba, 0xa9, 0x1f, 0x1d, 0x81, - 0xd4, 0xbd, 0x26, 0x88, 0x18, 0xcc, 0x34, 0x39, 0x63, 0x69, 0x13, 0xe0, 0xeb, 0x1b, 0x33, 0x47, - 0x5a, 0x5e, 0x41, 0x6b, 0x56, 0x79, 0x85, 0x1a, 0xa0, 0xd3, 0xb5, 0x69, 0x53, 0x62, 0xb7, 0x0a, - 0x3e, 0xe5, 0x6a, 0xa5, 0x83, 0xb2, 0xe9, 0xa6, 0xc6, 0xf7, 0xc0, 0x5c, 0x32, 0x3e, 0x9b, 0x2b, - 0x62, 0x7a, 0xc8, 0x3f, 0xa0, 0x75, 0xe5, 0x1e, 0x03, 0xb4, 0xc6, 0xb1, 0x03, 0xc6, 0x05, 0x5b, - 0xd5, 0xa3, 0x29, 0x3f, 0xcb, 0xbd, 0x5d, 0x24, 0xe9, 0x25, 0x23, 0x1d, 0x2d, 0xab, 0x8a, 0x97, - 0x9d, 0x63, 0xe4, 0xbe, 0x80, 0xfd, 0x2d, 0x7b, 0xff, 0x93, 0xda, 0x5b, 0xd2, 0xfe, 0x21, 0x58, - 0xcd, 0xa6, 0xe1, 0x3b, 0x70, 0xf0, 0x21, 0x1c, 0xbf, 0x9f, 0x84, 0x5f, 0xe2, 0x90, 0x46, 0x27, - 0x23, 0x67, 0x67, 0xd3, 0x3a, 0x8d, 0xea, 0x16, 0xea, 0x3f, 0x05, 0x68, 0x77, 0x09, 0x5b, 0xb0, - 0x1b, 0x7d, 0x8c, 0x42, 0x67, 0x07, 0x03, 0x98, 0xe3, 0xf8, 0x24, 0x3e, 0x7d, 0xeb, 0x20, 0xdc, - 0x05, 0xe3, 0x5d, 0x34, 0x76, 0x3a, 0x6f, 0x82, 0x1f, 0xeb, 0x1e, 0xfa, 0xb9, 0xee, 0xa1, 0x5f, - 0xeb, 0x1e, 0xfa, 0xea, 0x55, 0x43, 0xe7, 0x62, 0x90, 0xe4, 0x7c, 0x70, 0xc5, 0xd3, 0x3d, 0x33, - 0xf5, 0x9b, 0x3d, 0xfa, 0x13, 0x00, 0x00, 0xff, 0xff, 0xbf, 0xab, 0x5c, 0x44, 0x1c, 0x04, 0x00, - 0x00, + 0x14, 0xc6, 0xe7, 0x66, 0x4b, 0x93, 0x33, 0x06, 0xc1, 0x42, 0x28, 0x14, 0x54, 0x42, 0x6f, 0x28, + 0x42, 0x4a, 0x47, 0x27, 0xa4, 0xf1, 0xe7, 0xa6, 0x40, 0x24, 0x26, 0x95, 0x00, 0x6e, 0x2f, 0x10, + 0x37, 0x95, 0xd7, 0x5a, 0xad, 0xb5, 0x28, 0xae, 0x62, 0xb7, 0xa5, 0x6f, 0xc1, 0x4b, 0xf0, 0x2e, + 0x5c, 0xf2, 0x08, 0xa8, 0x4f, 0x82, 0xe2, 0x38, 0x4d, 0x2f, 0x06, 0x6c, 0x77, 0x3d, 0xa7, 0xe7, + 0xfb, 0xe5, 0xb3, 0xbf, 0x63, 0x78, 0x9c, 0x32, 0xb5, 0x12, 0xd9, 0x05, 0x4f, 0xa7, 0x9d, 0xe5, + 0x33, 0x9a, 0xcc, 0x67, 0xf4, 0xa4, 0x23, 0x59, 0xb6, 0xe4, 0x63, 0x36, 0x62, 0xa9, 0xca, 0xd6, + 0xe1, 0x3c, 0x13, 0x4a, 0xe0, 0x7b, 0x5c, 0x2a, 0x2e, 0xc2, 0x6a, 0x3c, 0x2c, 0xc7, 0x1b, 0x8f, + 0x2e, 0x63, 0x4c, 0xa9, 0x62, 0x2b, 0x6a, 0xd4, 0xad, 0x1f, 0x75, 0xb8, 0x31, 0x28, 0xa8, 0x51, + 0x0e, 0xc5, 0x77, 0xe0, 0x60, 0x26, 0xa4, 0x92, 0x3e, 0x0a, 0xac, 0xb6, 0x4b, 0x8a, 0x02, 0x3f, + 0x00, 0x97, 0x4e, 0x26, 0x19, 0x93, 0x92, 0x49, 0xbf, 0xa6, 0xff, 0xa9, 0x1a, 0xf8, 0x39, 0x1c, + 0xcc, 0x45, 0xa6, 0xa4, 0x6f, 0x05, 0x56, 0xfb, 0xb0, 0xfb, 0x30, 0xfc, 0xab, 0xa5, 0xf0, 0x93, + 0xc8, 0x14, 0x29, 0xa6, 0x71, 0x1f, 0x9c, 0x44, 0x8c, 0xa9, 0xe2, 0x22, 0xf5, 0xf7, 0x03, 0xd4, + 0xbe, 0xd9, 0x3d, 0xfe, 0x87, 0x72, 0xd7, 0x65, 0xd8, 0x37, 0x3a, 0xb2, 0x25, 0x60, 0x02, 0x90, + 0x31, 0x29, 0x92, 0x85, 0xe6, 0x1d, 0x68, 0x5e, 0xf7, 0xaa, 0x3c, 0xb2, 0x55, 0x92, 0x1d, 0x0a, + 0x8e, 0xc1, 0x65, 0xe9, 0x64, 0x2e, 0x78, 0xaa, 0xa4, 0x6f, 0xeb, 0xc3, 0x5d, 0xd9, 0x62, 0x64, + 0x84, 0xa4, 0x42, 0xe0, 0xfb, 0xe0, 0xb2, 0x6f, 0xf9, 0xe1, 0x47, 0x4a, 0xf8, 0x75, 0x7d, 0x8d, + 0x4e, 0xd1, 0x18, 0x0a, 0xfc, 0x04, 0xbc, 0x32, 0x5f, 0x3a, 0x1e, 0x8b, 0x45, 0xfe, 0x4d, 0x47, + 0xcf, 0xdc, 0x32, 0xfd, 0x9e, 0x69, 0x37, 0xbe, 0x5b, 0xe0, 0x94, 0x7c, 0xec, 0x43, 0xdd, 0x44, + 0xe1, 0xa3, 0x00, 0xb5, 0x5d, 0x52, 0x96, 0xf8, 0x73, 0x99, 0x4b, 0x4d, 0x5b, 0x7f, 0x75, 0x5d, + 0xeb, 0x3a, 0x2d, 0xa9, 0x7b, 0x65, 0x66, 0x43, 0xb0, 0x13, 0x7a, 0xce, 0x92, 0x32, 0xeb, 0xd7, + 0xd7, 0x66, 0xf6, 0xb5, 0xbc, 0x80, 0x1a, 0x56, 0x7e, 0x04, 0x03, 0xd0, 0x8b, 0xe0, 0x92, 0xb2, + 0xc4, 0x8d, 0x62, 0x47, 0x12, 0xae, 0xd6, 0x3a, 0x53, 0x97, 0x6c, 0x6b, 0x7c, 0x17, 0xec, 0x15, + 0xe3, 0xd3, 0x99, 0xf2, 0xed, 0x00, 0xb5, 0x8f, 0x88, 0xa9, 0x1a, 0xa7, 0x00, 0x95, 0x71, 0xec, + 0x81, 0x75, 0xc1, 0xd6, 0xe6, 0x6a, 0xf2, 0x9f, 0xf9, 0x8a, 0x2f, 0x69, 0xb2, 0x60, 0x7e, 0x4d, + 0xcb, 0x8a, 0xe2, 0x65, 0xed, 0x14, 0x35, 0x5e, 0xc0, 0xe1, 0x8e, 0xbd, 0xff, 0x49, 0xdd, 0x1d, + 0x69, 0xeb, 0x18, 0x9c, 0x72, 0x29, 0xf1, 0x6d, 0x38, 0xfa, 0x10, 0x0d, 0xde, 0x8f, 0xa2, 0x2f, + 0xc3, 0x88, 0xc4, 0xbd, 0xbe, 0xb7, 0xb7, 0x6d, 0x9d, 0xc5, 0xa6, 0x85, 0x5a, 0x4f, 0x01, 0xaa, + 0xb5, 0xc3, 0x0e, 0xec, 0xc7, 0x1f, 0xe3, 0xc8, 0xdb, 0xc3, 0x00, 0xf6, 0x60, 0xd8, 0x1b, 0x9e, + 0xbd, 0xf5, 0x10, 0xae, 0x83, 0xf5, 0x2e, 0x1e, 0x78, 0xb5, 0x37, 0xe1, 0xcf, 0x4d, 0x13, 0xfd, + 0xda, 0x34, 0xd1, 0xef, 0x4d, 0x13, 0x7d, 0x0d, 0x8a, 0x4b, 0xe7, 0xa2, 0x43, 0xe7, 0xbc, 0x73, + 0xc9, 0x2b, 0x3f, 0xb7, 0xf5, 0xf3, 0x3e, 0xf9, 0x13, 0x00, 0x00, 0xff, 0xff, 0x52, 0xbc, 0xd3, + 0xed, 0x47, 0x04, 0x00, 0x00, } diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 63b9cb52fd..0840bb9342 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -461,4 +461,8 @@ message ServiceEntry { // the annotation "networking.istio.io/export_to" to a comma-separated list // of namespace names. repeated string export_to = 7; + + // The reunion of service accounts associated with workloads + // backing this service + repeated string service_accounts = 8; } diff --git a/python/istio_api/networking/v1alpha3/service_entry_pb2.py b/python/istio_api/networking/v1alpha3/service_entry_pb2.py index 98a378aafd..6798dae7a6 100644 --- a/python/istio_api/networking/v1alpha3/service_entry_pb2.py +++ b/python/istio_api/networking/v1alpha3/service_entry_pb2.py @@ -20,7 +20,7 @@ name='networking/v1alpha3/service_entry.proto', package='istio.networking.v1alpha3', syntax='proto3', - serialized_pb=_b('\n\'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a!networking/v1alpha3/gateway.proto\"\xeb\x05\n\x0cServiceEntry\x12\r\n\x05hosts\x18\x01 \x03(\t\x12\x11\n\taddresses\x18\x02 \x03(\t\x12.\n\x05ports\x18\x03 \x03(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x42\n\x08location\x18\x04 \x01(\x0e\x32\x30.istio.networking.v1alpha3.ServiceEntry.Location\x12\x46\n\nresolution\x18\x05 \x01(\x0e\x32\x32.istio.networking.v1alpha3.ServiceEntry.Resolution\x12\x43\n\tendpoints\x18\x06 \x03(\x0b\x32\x30.istio.networking.v1alpha3.ServiceEntry.Endpoint\x12\x11\n\texport_to\x18\x07 \x03(\t\x1a\xc5\x02\n\x08\x45ndpoint\x12\x0f\n\x07\x61\x64\x64ress\x18\x01 \x01(\t\x12J\n\x05ports\x18\x02 \x03(\x0b\x32;.istio.networking.v1alpha3.ServiceEntry.Endpoint.PortsEntry\x12L\n\x06labels\x18\x03 \x03(\x0b\x32<.istio.networking.v1alpha3.ServiceEntry.Endpoint.LabelsEntry\x12\x0f\n\x07network\x18\x04 \x01(\t\x12\x10\n\x08locality\x18\x05 \x01(\t\x12\x0e\n\x06weight\x18\x06 \x01(\r\x1a,\n\nPortsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\r:\x02\x38\x01\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"0\n\x08Location\x12\x11\n\rMESH_EXTERNAL\x10\x00\x12\x11\n\rMESH_INTERNAL\x10\x01\"+\n\nResolution\x12\x08\n\x04NONE\x10\x00\x12\n\n\x06STATIC\x10\x01\x12\x07\n\x03\x44NS\x10\x02\x42\"Z istio.io/api/networking/v1alpha3b\x06proto3') + serialized_pb=_b('\n\'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a!networking/v1alpha3/gateway.proto\"\x85\x06\n\x0cServiceEntry\x12\r\n\x05hosts\x18\x01 \x03(\t\x12\x11\n\taddresses\x18\x02 \x03(\t\x12.\n\x05ports\x18\x03 \x03(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x42\n\x08location\x18\x04 \x01(\x0e\x32\x30.istio.networking.v1alpha3.ServiceEntry.Location\x12\x46\n\nresolution\x18\x05 \x01(\x0e\x32\x32.istio.networking.v1alpha3.ServiceEntry.Resolution\x12\x43\n\tendpoints\x18\x06 \x03(\x0b\x32\x30.istio.networking.v1alpha3.ServiceEntry.Endpoint\x12\x11\n\texport_to\x18\x07 \x03(\t\x12\x18\n\x10service_accounts\x18\x08 \x03(\t\x1a\xc5\x02\n\x08\x45ndpoint\x12\x0f\n\x07\x61\x64\x64ress\x18\x01 \x01(\t\x12J\n\x05ports\x18\x02 \x03(\x0b\x32;.istio.networking.v1alpha3.ServiceEntry.Endpoint.PortsEntry\x12L\n\x06labels\x18\x03 \x03(\x0b\x32<.istio.networking.v1alpha3.ServiceEntry.Endpoint.LabelsEntry\x12\x0f\n\x07network\x18\x04 \x01(\t\x12\x10\n\x08locality\x18\x05 \x01(\t\x12\x0e\n\x06weight\x18\x06 \x01(\r\x1a,\n\nPortsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\r:\x02\x38\x01\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"0\n\x08Location\x12\x11\n\rMESH_EXTERNAL\x10\x00\x12\x11\n\rMESH_INTERNAL\x10\x01\"+\n\nResolution\x12\x08\n\x04NONE\x10\x00\x12\n\n\x06STATIC\x10\x01\x12\x07\n\x03\x44NS\x10\x02\x42\"Z istio.io/api/networking/v1alpha3b\x06proto3') , dependencies=[networking_dot_v1alpha3_dot_gateway__pb2.DESCRIPTOR,]) @@ -43,8 +43,8 @@ ], containing_type=None, options=None, - serialized_start=760, - serialized_end=808, + serialized_start=786, + serialized_end=834, ) _sym_db.RegisterEnumDescriptor(_SERVICEENTRY_LOCATION) @@ -69,8 +69,8 @@ ], containing_type=None, options=None, - serialized_start=810, - serialized_end=853, + serialized_start=836, + serialized_end=879, ) _sym_db.RegisterEnumDescriptor(_SERVICEENTRY_RESOLUTION) @@ -108,8 +108,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=667, - serialized_end=711, + serialized_start=693, + serialized_end=737, ) _SERVICEENTRY_ENDPOINT_LABELSENTRY = _descriptor.Descriptor( @@ -145,8 +145,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=713, - serialized_end=758, + serialized_start=739, + serialized_end=784, ) _SERVICEENTRY_ENDPOINT = _descriptor.Descriptor( @@ -210,8 +210,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=433, - serialized_end=758, + serialized_start=459, + serialized_end=784, ) _SERVICEENTRY = _descriptor.Descriptor( @@ -270,6 +270,13 @@ message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='service_accounts', full_name='istio.networking.v1alpha3.ServiceEntry.service_accounts', index=7, + number=8, type=9, cpp_type=9, label=3, + has_default_value=False, default_value=[], + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + options=None, file=DESCRIPTOR), ], extensions=[ ], @@ -285,7 +292,7 @@ oneofs=[ ], serialized_start=106, - serialized_end=853, + serialized_end=879, ) _SERVICEENTRY_ENDPOINT_PORTSENTRY.containing_type = _SERVICEENTRY_ENDPOINT From 7492ac641299ae8cf1d9559e2c7d6c2ed68634c1 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Mon, 4 Feb 2019 14:27:54 -0800 Subject: [PATCH 2/7] Ran make proto-commit --- proto.lock | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/proto.lock b/proto.lock index 18877af34a..d1fc4ef344 100644 --- a/proto.lock +++ b/proto.lock @@ -3455,6 +3455,12 @@ "name": "export_to", "type": "string", "is_repeated": true + }, + { + "id": 8, + "name": "service_accounts", + "type": "string", + "is_repeated": true } ], "messages": [ From e53c7d5b14ca42716b768d5222c734391fc51a87 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Mon, 4 Feb 2019 17:08:25 -0800 Subject: [PATCH 3/7] Added example with format --- .../istio.networking.v1alpha3.pb.html | 26 +++++++++++++-- networking/v1alpha3/service_entry.pb.go | 27 ++++++++++++++-- networking/v1alpha3/service_entry.proto | 32 +++++++++++++++++-- 3 files changed, 79 insertions(+), 6 deletions(-) diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html index ba48961a2a..ee9f30d0b2 100644 --- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html +++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html @@ -3471,8 +3471,30 @@

ServiceEntry

serviceAccounts string[] -

The reunion of service accounts associated with workloads -backing this service

+

The following example illustrates the usage of a service account +whose format conforms to the SPIFEE standard +https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md:

+ +
apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: httpbin
+  namespace : httpbin-ns
+spec:
+  hosts:
+  - httpbin.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  endpoints:
+  - address: 2.2.2.2
+  - address: 3.3.3.3
+  serviceAccounts:
+  - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
+
diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index a92d0304ee..8ad90166c0 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -433,8 +433,31 @@ type ServiceEntry struct { // the annotation "networking.istio.io/export_to" to a comma-separated list // of namespace names. ExportTo []string `protobuf:"bytes,7,rep,name=export_to,json=exportTo" json:"export_to,omitempty"` - // The reunion of service accounts associated with workloads - // backing this service + // The following example illustrates the usage of a service account + // whose format conforms to the SPIFEE standard + // : + // + // ```yaml + // apiVersion: networking.istio.io/v1alpha3 + // kind: ServiceEntry + // metadata: + // name: httpbin + // namespace : httpbin-ns + // spec: + // hosts: + // - httpbin.com + // location: MESH_INTERNAL + // ports: + // - number: 80 + // name: http + // protocol: HTTP + // resolution: STATIC + // endpoints: + // - address: 2.2.2.2 + // - address: 3.3.3.3 + // serviceAccounts: + // - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account" + // ``` ServiceAccounts []string `protobuf:"bytes,8,rep,name=service_accounts,json=serviceAccounts" json:"service_accounts,omitempty"` } diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 0840bb9342..6ffad51b3b 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -462,7 +462,35 @@ message ServiceEntry { // of namespace names. repeated string export_to = 7; - // The reunion of service accounts associated with workloads - // backing this service + // $hide_from_docs + // The set of service accounts identities allowed for workloads that + // implement this service. This information is used to enforce + // secure-naming . + + // The following example illustrates the usage of a service account + // whose format conforms to the SPIFEE standard + // : + // + // ```yaml + // apiVersion: networking.istio.io/v1alpha3 + // kind: ServiceEntry + // metadata: + // name: httpbin + // namespace : httpbin-ns + // spec: + // hosts: + // - httpbin.com + // location: MESH_INTERNAL + // ports: + // - number: 80 + // name: http + // protocol: HTTP + // resolution: STATIC + // endpoints: + // - address: 2.2.2.2 + // - address: 3.3.3.3 + // serviceAccounts: + // - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account" + // ``` repeated string service_accounts = 8; } From bbf383d0592c99e6557efd6c7636c0ce2b627c0c Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Mon, 4 Feb 2019 19:17:13 -0800 Subject: [PATCH 4/7] Rename to subject_alt_names --- .../istio.networking.v1alpha3.pb.html | 31 ------ networking/v1alpha3/service_entry.pb.go | 97 ++++++++++--------- networking/v1alpha3/service_entry.proto | 12 ++- proto.lock | 2 +- .../networking/v1alpha3/service_entry_pb2.py | 26 ++--- 5 files changed, 73 insertions(+), 95 deletions(-) diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html index ee9f30d0b2..e83d3b10fc 100644 --- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html +++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html @@ -3465,37 +3465,6 @@

ServiceEntry

One or more endpoints associated with the service.

- - - -serviceAccounts -string[] - -

The following example illustrates the usage of a service account -whose format conforms to the SPIFEE standard -https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md:

- -
apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: httpbin
-  namespace : httpbin-ns
-spec:
-  hosts:
-  - httpbin.com
-  location: MESH_INTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: STATIC
-  endpoints:
-  - address: 2.2.2.2
-  - address: 3.3.3.3
-  serviceAccounts:
-  - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
-
- diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index 8ad90166c0..757e3ec8a3 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -433,7 +433,14 @@ type ServiceEntry struct { // the annotation "networking.istio.io/export_to" to a comma-separated list // of namespace names. ExportTo []string `protobuf:"bytes,7,rep,name=export_to,json=exportTo" json:"export_to,omitempty"` - // The following example illustrates the usage of a service account + // $hide_from_docs + // The list of subject alternate names allowed for workloads that + // implement this service. This information is used to enforce + // secure-naming . + // If specified, the proxy will verify that the server + // certificate's subject alternate name matches one of the specified values. + // + // The following example illustrates the usage of a subject alternate name // whose format conforms to the SPIFEE standard // : // @@ -455,10 +462,10 @@ type ServiceEntry struct { // endpoints: // - address: 2.2.2.2 // - address: 3.3.3.3 - // serviceAccounts: + // subjectAltNames: // - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account" // ``` - ServiceAccounts []string `protobuf:"bytes,8,rep,name=service_accounts,json=serviceAccounts" json:"service_accounts,omitempty"` + SubjectAltNames []string `protobuf:"bytes,8,rep,name=subject_alt_names,json=subjectAltNames" json:"subject_alt_names,omitempty"` } func (m *ServiceEntry) Reset() { *m = ServiceEntry{} } @@ -515,9 +522,9 @@ func (m *ServiceEntry) GetExportTo() []string { return nil } -func (m *ServiceEntry) GetServiceAccounts() []string { +func (m *ServiceEntry) GetSubjectAltNames() []string { if m != nil { - return m.ServiceAccounts + return m.SubjectAltNames } return nil } @@ -717,8 +724,8 @@ func (m *ServiceEntry) MarshalTo(dAtA []byte) (int, error) { i += copy(dAtA[i:], s) } } - if len(m.ServiceAccounts) > 0 { - for _, s := range m.ServiceAccounts { + if len(m.SubjectAltNames) > 0 { + for _, s := range m.SubjectAltNames { dAtA[i] = 0x42 i++ l = len(s) @@ -857,8 +864,8 @@ func (m *ServiceEntry) Size() (n int) { n += 1 + l + sovServiceEntry(uint64(l)) } } - if len(m.ServiceAccounts) > 0 { - for _, s := range m.ServiceAccounts { + if len(m.SubjectAltNames) > 0 { + for _, s := range m.SubjectAltNames { l = len(s) n += 1 + l + sovServiceEntry(uint64(l)) } @@ -1134,7 +1141,7 @@ func (m *ServiceEntry) Unmarshal(dAtA []byte) error { iNdEx = postIndex case 8: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccounts", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field SubjectAltNames", wireType) } var stringLen uint64 for shift := uint(0); ; shift += 7 { @@ -1159,7 +1166,7 @@ func (m *ServiceEntry) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.ServiceAccounts = append(m.ServiceAccounts, string(dAtA[iNdEx:postIndex])) + m.SubjectAltNames = append(m.SubjectAltNames, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex default: iNdEx = preIndex @@ -1671,38 +1678,38 @@ var ( func init() { proto.RegisterFile("networking/v1alpha3/service_entry.proto", fileDescriptorServiceEntry) } var fileDescriptorServiceEntry = []byte{ - // 517 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x93, 0xdf, 0x6e, 0xd3, 0x30, - 0x14, 0xc6, 0xe7, 0x66, 0x4b, 0x93, 0x33, 0x06, 0xc1, 0x42, 0x28, 0x14, 0x54, 0x42, 0x6f, 0x28, - 0x42, 0x4a, 0x47, 0x27, 0xa4, 0xf1, 0xe7, 0xa6, 0x40, 0x24, 0x26, 0x95, 0x00, 0x6e, 0x2f, 0x10, - 0x37, 0x95, 0xd7, 0x5a, 0xad, 0xb5, 0x28, 0xae, 0x62, 0xb7, 0xa5, 0x6f, 0xc1, 0x4b, 0xf0, 0x2e, - 0x5c, 0xf2, 0x08, 0xa8, 0x4f, 0x82, 0xe2, 0x38, 0x4d, 0x2f, 0x06, 0x6c, 0x77, 0x3d, 0xa7, 0xe7, - 0xfb, 0xe5, 0xb3, 0xbf, 0x63, 0x78, 0x9c, 0x32, 0xb5, 0x12, 0xd9, 0x05, 0x4f, 0xa7, 0x9d, 0xe5, - 0x33, 0x9a, 0xcc, 0x67, 0xf4, 0xa4, 0x23, 0x59, 0xb6, 0xe4, 0x63, 0x36, 0x62, 0xa9, 0xca, 0xd6, - 0xe1, 0x3c, 0x13, 0x4a, 0xe0, 0x7b, 0x5c, 0x2a, 0x2e, 0xc2, 0x6a, 0x3c, 0x2c, 0xc7, 0x1b, 0x8f, - 0x2e, 0x63, 0x4c, 0xa9, 0x62, 0x2b, 0x6a, 0xd4, 0xad, 0x1f, 0x75, 0xb8, 0x31, 0x28, 0xa8, 0x51, - 0x0e, 0xc5, 0x77, 0xe0, 0x60, 0x26, 0xa4, 0x92, 0x3e, 0x0a, 0xac, 0xb6, 0x4b, 0x8a, 0x02, 0x3f, - 0x00, 0x97, 0x4e, 0x26, 0x19, 0x93, 0x92, 0x49, 0xbf, 0xa6, 0xff, 0xa9, 0x1a, 0xf8, 0x39, 0x1c, - 0xcc, 0x45, 0xa6, 0xa4, 0x6f, 0x05, 0x56, 0xfb, 0xb0, 0xfb, 0x30, 0xfc, 0xab, 0xa5, 0xf0, 0x93, - 0xc8, 0x14, 0x29, 0xa6, 0x71, 0x1f, 0x9c, 0x44, 0x8c, 0xa9, 0xe2, 0x22, 0xf5, 0xf7, 0x03, 0xd4, - 0xbe, 0xd9, 0x3d, 0xfe, 0x87, 0x72, 0xd7, 0x65, 0xd8, 0x37, 0x3a, 0xb2, 0x25, 0x60, 0x02, 0x90, - 0x31, 0x29, 0x92, 0x85, 0xe6, 0x1d, 0x68, 0x5e, 0xf7, 0xaa, 0x3c, 0xb2, 0x55, 0x92, 0x1d, 0x0a, - 0x8e, 0xc1, 0x65, 0xe9, 0x64, 0x2e, 0x78, 0xaa, 0xa4, 0x6f, 0xeb, 0xc3, 0x5d, 0xd9, 0x62, 0x64, - 0x84, 0xa4, 0x42, 0xe0, 0xfb, 0xe0, 0xb2, 0x6f, 0xf9, 0xe1, 0x47, 0x4a, 0xf8, 0x75, 0x7d, 0x8d, - 0x4e, 0xd1, 0x18, 0x0a, 0xfc, 0x04, 0xbc, 0x32, 0x5f, 0x3a, 0x1e, 0x8b, 0x45, 0xfe, 0x4d, 0x47, - 0xcf, 0xdc, 0x32, 0xfd, 0x9e, 0x69, 0x37, 0xbe, 0x5b, 0xe0, 0x94, 0x7c, 0xec, 0x43, 0xdd, 0x44, - 0xe1, 0xa3, 0x00, 0xb5, 0x5d, 0x52, 0x96, 0xf8, 0x73, 0x99, 0x4b, 0x4d, 0x5b, 0x7f, 0x75, 0x5d, - 0xeb, 0x3a, 0x2d, 0xa9, 0x7b, 0x65, 0x66, 0x43, 0xb0, 0x13, 0x7a, 0xce, 0x92, 0x32, 0xeb, 0xd7, - 0xd7, 0x66, 0xf6, 0xb5, 0xbc, 0x80, 0x1a, 0x56, 0x7e, 0x04, 0x03, 0xd0, 0x8b, 0xe0, 0x92, 0xb2, - 0xc4, 0x8d, 0x62, 0x47, 0x12, 0xae, 0xd6, 0x3a, 0x53, 0x97, 0x6c, 0x6b, 0x7c, 0x17, 0xec, 0x15, - 0xe3, 0xd3, 0x99, 0xf2, 0xed, 0x00, 0xb5, 0x8f, 0x88, 0xa9, 0x1a, 0xa7, 0x00, 0x95, 0x71, 0xec, - 0x81, 0x75, 0xc1, 0xd6, 0xe6, 0x6a, 0xf2, 0x9f, 0xf9, 0x8a, 0x2f, 0x69, 0xb2, 0x60, 0x7e, 0x4d, - 0xcb, 0x8a, 0xe2, 0x65, 0xed, 0x14, 0x35, 0x5e, 0xc0, 0xe1, 0x8e, 0xbd, 0xff, 0x49, 0xdd, 0x1d, - 0x69, 0xeb, 0x18, 0x9c, 0x72, 0x29, 0xf1, 0x6d, 0x38, 0xfa, 0x10, 0x0d, 0xde, 0x8f, 0xa2, 0x2f, - 0xc3, 0x88, 0xc4, 0xbd, 0xbe, 0xb7, 0xb7, 0x6d, 0x9d, 0xc5, 0xa6, 0x85, 0x5a, 0x4f, 0x01, 0xaa, - 0xb5, 0xc3, 0x0e, 0xec, 0xc7, 0x1f, 0xe3, 0xc8, 0xdb, 0xc3, 0x00, 0xf6, 0x60, 0xd8, 0x1b, 0x9e, - 0xbd, 0xf5, 0x10, 0xae, 0x83, 0xf5, 0x2e, 0x1e, 0x78, 0xb5, 0x37, 0xe1, 0xcf, 0x4d, 0x13, 0xfd, - 0xda, 0x34, 0xd1, 0xef, 0x4d, 0x13, 0x7d, 0x0d, 0x8a, 0x4b, 0xe7, 0xa2, 0x43, 0xe7, 0xbc, 0x73, - 0xc9, 0x2b, 0x3f, 0xb7, 0xf5, 0xf3, 0x3e, 0xf9, 0x13, 0x00, 0x00, 0xff, 0xff, 0x52, 0xbc, 0xd3, - 0xed, 0x47, 0x04, 0x00, 0x00, + // 527 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x93, 0xdf, 0x8e, 0xd2, 0x40, + 0x14, 0xc6, 0x77, 0xe8, 0x52, 0xda, 0xb3, 0xae, 0xb2, 0x13, 0x63, 0x46, 0x34, 0x58, 0xb9, 0x91, + 0x68, 0x52, 0x56, 0x36, 0x26, 0xeb, 0x9f, 0x1b, 0xd4, 0x26, 0x6e, 0x82, 0x55, 0x07, 0x2e, 0x8c, + 0x37, 0x64, 0x80, 0x09, 0xd4, 0xad, 0x1d, 0xd2, 0x19, 0x40, 0xde, 0xc2, 0xa7, 0xf0, 0x59, 0xbc, + 0xf4, 0x11, 0x0c, 0x4f, 0x62, 0x3a, 0x9d, 0x02, 0x17, 0xab, 0xbb, 0x7b, 0xd7, 0x73, 0xe6, 0x7c, + 0xbf, 0x7e, 0x73, 0xce, 0x19, 0x78, 0x94, 0x70, 0xb5, 0x14, 0xe9, 0x79, 0x94, 0x4c, 0x5a, 0x8b, + 0xa7, 0x2c, 0x9e, 0x4d, 0xd9, 0x49, 0x4b, 0xf2, 0x74, 0x11, 0x8d, 0xf8, 0x80, 0x27, 0x2a, 0x5d, + 0xf9, 0xb3, 0x54, 0x28, 0x81, 0xef, 0x46, 0x52, 0x45, 0xc2, 0xdf, 0x96, 0xfb, 0x45, 0x79, 0xed, + 0xe1, 0x45, 0x8c, 0x09, 0x53, 0x7c, 0xc9, 0x8c, 0xba, 0xf1, 0xb3, 0x02, 0x37, 0x7a, 0x39, 0x35, + 0xc8, 0xa0, 0xf8, 0x36, 0x94, 0xa7, 0x42, 0x2a, 0x49, 0x90, 0x67, 0x35, 0x5d, 0x9a, 0x07, 0xf8, + 0x3e, 0xb8, 0x6c, 0x3c, 0x4e, 0xb9, 0x94, 0x5c, 0x92, 0x92, 0x3e, 0xd9, 0x26, 0xf0, 0x33, 0x28, + 0xcf, 0x44, 0xaa, 0x24, 0xb1, 0x3c, 0xab, 0x79, 0xd0, 0x7e, 0xe0, 0xff, 0xd3, 0x92, 0xff, 0x51, + 0xa4, 0x8a, 0xe6, 0xd5, 0xb8, 0x0b, 0x4e, 0x2c, 0x46, 0x4c, 0x45, 0x22, 0x21, 0xfb, 0x1e, 0x6a, + 0xde, 0x6c, 0x1f, 0xff, 0x47, 0xb9, 0xeb, 0xd2, 0xef, 0x1a, 0x1d, 0xdd, 0x10, 0x30, 0x05, 0x48, + 0xb9, 0x14, 0xf1, 0x5c, 0xf3, 0xca, 0x9a, 0xd7, 0xbe, 0x2a, 0x8f, 0x6e, 0x94, 0x74, 0x87, 0x82, + 0x43, 0x70, 0x79, 0x32, 0x9e, 0x89, 0x28, 0x51, 0x92, 0xd8, 0xfa, 0x72, 0x57, 0xb6, 0x18, 0x18, + 0x21, 0xdd, 0x22, 0xf0, 0x3d, 0x70, 0xf9, 0xf7, 0xec, 0xf2, 0x03, 0x25, 0x48, 0x45, 0xb7, 0xd1, + 0xc9, 0x13, 0x7d, 0x81, 0x1f, 0xc3, 0x91, 0x9c, 0x0f, 0xbf, 0xf2, 0x91, 0x1a, 0xb0, 0x58, 0x0d, + 0x12, 0xf6, 0x8d, 0x4b, 0xe2, 0xe8, 0xa2, 0x5b, 0xe6, 0xa0, 0x13, 0xab, 0x30, 0x4b, 0xd7, 0x7e, + 0x58, 0xe0, 0x14, 0x3f, 0xc0, 0x04, 0x2a, 0x66, 0x16, 0x04, 0x79, 0xa8, 0xe9, 0xd2, 0x22, 0xc4, + 0x9f, 0x8a, 0xc1, 0x94, 0xb4, 0xf7, 0x97, 0xd7, 0xf5, 0xae, 0xc7, 0x25, 0x75, 0xae, 0x18, 0x5a, + 0x1f, 0xec, 0x98, 0x0d, 0x79, 0x5c, 0x0c, 0xfb, 0xd5, 0xb5, 0x99, 0x5d, 0x2d, 0xcf, 0xa1, 0x86, + 0x95, 0x5d, 0xc1, 0x00, 0xf4, 0x26, 0xb8, 0xb4, 0x08, 0x71, 0x2d, 0x5f, 0x92, 0x38, 0x52, 0x2b, + 0x3d, 0x54, 0x97, 0x6e, 0x62, 0x7c, 0x07, 0xec, 0x25, 0x8f, 0x26, 0x53, 0x45, 0x6c, 0x0f, 0x35, + 0x0f, 0xa9, 0x89, 0x6a, 0xa7, 0x00, 0x5b, 0xe3, 0xb8, 0x0a, 0xd6, 0x39, 0x5f, 0x99, 0xd6, 0x64, + 0x9f, 0xd9, 0x8e, 0x2f, 0x58, 0x3c, 0xe7, 0xa4, 0xa4, 0x65, 0x79, 0xf0, 0xa2, 0x74, 0x8a, 0x6a, + 0xcf, 0xe1, 0x60, 0xc7, 0xde, 0x65, 0x52, 0x77, 0x47, 0xda, 0x38, 0x06, 0xa7, 0xd8, 0x4a, 0x7c, + 0x04, 0x87, 0xef, 0x83, 0xde, 0xbb, 0x41, 0xf0, 0xb9, 0x1f, 0xd0, 0xb0, 0xd3, 0xad, 0xee, 0x6d, + 0x52, 0x67, 0xa1, 0x49, 0xa1, 0xc6, 0x13, 0x80, 0xed, 0xde, 0x61, 0x07, 0xf6, 0xc3, 0x0f, 0x61, + 0x50, 0xdd, 0xc3, 0x00, 0x76, 0xaf, 0xdf, 0xe9, 0x9f, 0xbd, 0xa9, 0x22, 0x5c, 0x01, 0xeb, 0x6d, + 0xd8, 0xab, 0x96, 0x5e, 0xfb, 0xbf, 0xd6, 0x75, 0xf4, 0x7b, 0x5d, 0x47, 0x7f, 0xd6, 0x75, 0xf4, + 0xc5, 0xcb, 0x9b, 0x1e, 0x89, 0x16, 0x9b, 0x45, 0xad, 0x0b, 0x9e, 0xf9, 0xd0, 0xd6, 0xef, 0xfb, + 0xe4, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x10, 0x53, 0xa9, 0xc0, 0x48, 0x04, 0x00, 0x00, } diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 6ffad51b3b..49773effa1 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -463,11 +463,13 @@ message ServiceEntry { repeated string export_to = 7; // $hide_from_docs - // The set of service accounts identities allowed for workloads that + // The list of subject alternate names allowed for workloads that // implement this service. This information is used to enforce // secure-naming . - - // The following example illustrates the usage of a service account + // If specified, the proxy will verify that the server + // certificate's subject alternate name matches one of the specified values. + // + // The following example illustrates the usage of a subject alternate name // whose format conforms to the SPIFEE standard // : // @@ -489,8 +491,8 @@ message ServiceEntry { // endpoints: // - address: 2.2.2.2 // - address: 3.3.3.3 - // serviceAccounts: + // subjectAltNames: // - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account" // ``` - repeated string service_accounts = 8; + repeated string subject_alt_names = 8; } diff --git a/proto.lock b/proto.lock index d1fc4ef344..408a2f7fa6 100644 --- a/proto.lock +++ b/proto.lock @@ -3458,7 +3458,7 @@ }, { "id": 8, - "name": "service_accounts", + "name": "subject_alt_names", "type": "string", "is_repeated": true } diff --git a/python/istio_api/networking/v1alpha3/service_entry_pb2.py b/python/istio_api/networking/v1alpha3/service_entry_pb2.py index 6798dae7a6..c70404326d 100644 --- a/python/istio_api/networking/v1alpha3/service_entry_pb2.py +++ b/python/istio_api/networking/v1alpha3/service_entry_pb2.py @@ -20,7 +20,7 @@ name='networking/v1alpha3/service_entry.proto', package='istio.networking.v1alpha3', syntax='proto3', - serialized_pb=_b('\n\'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a!networking/v1alpha3/gateway.proto\"\x85\x06\n\x0cServiceEntry\x12\r\n\x05hosts\x18\x01 \x03(\t\x12\x11\n\taddresses\x18\x02 \x03(\t\x12.\n\x05ports\x18\x03 \x03(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x42\n\x08location\x18\x04 \x01(\x0e\x32\x30.istio.networking.v1alpha3.ServiceEntry.Location\x12\x46\n\nresolution\x18\x05 \x01(\x0e\x32\x32.istio.networking.v1alpha3.ServiceEntry.Resolution\x12\x43\n\tendpoints\x18\x06 \x03(\x0b\x32\x30.istio.networking.v1alpha3.ServiceEntry.Endpoint\x12\x11\n\texport_to\x18\x07 \x03(\t\x12\x18\n\x10service_accounts\x18\x08 \x03(\t\x1a\xc5\x02\n\x08\x45ndpoint\x12\x0f\n\x07\x61\x64\x64ress\x18\x01 \x01(\t\x12J\n\x05ports\x18\x02 \x03(\x0b\x32;.istio.networking.v1alpha3.ServiceEntry.Endpoint.PortsEntry\x12L\n\x06labels\x18\x03 \x03(\x0b\x32<.istio.networking.v1alpha3.ServiceEntry.Endpoint.LabelsEntry\x12\x0f\n\x07network\x18\x04 \x01(\t\x12\x10\n\x08locality\x18\x05 \x01(\t\x12\x0e\n\x06weight\x18\x06 \x01(\r\x1a,\n\nPortsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\r:\x02\x38\x01\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"0\n\x08Location\x12\x11\n\rMESH_EXTERNAL\x10\x00\x12\x11\n\rMESH_INTERNAL\x10\x01\"+\n\nResolution\x12\x08\n\x04NONE\x10\x00\x12\n\n\x06STATIC\x10\x01\x12\x07\n\x03\x44NS\x10\x02\x42\"Z istio.io/api/networking/v1alpha3b\x06proto3') + serialized_pb=_b('\n\'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a!networking/v1alpha3/gateway.proto\"\x86\x06\n\x0cServiceEntry\x12\r\n\x05hosts\x18\x01 \x03(\t\x12\x11\n\taddresses\x18\x02 \x03(\t\x12.\n\x05ports\x18\x03 \x03(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x42\n\x08location\x18\x04 \x01(\x0e\x32\x30.istio.networking.v1alpha3.ServiceEntry.Location\x12\x46\n\nresolution\x18\x05 \x01(\x0e\x32\x32.istio.networking.v1alpha3.ServiceEntry.Resolution\x12\x43\n\tendpoints\x18\x06 \x03(\x0b\x32\x30.istio.networking.v1alpha3.ServiceEntry.Endpoint\x12\x11\n\texport_to\x18\x07 \x03(\t\x12\x19\n\x11subject_alt_names\x18\x08 \x03(\t\x1a\xc5\x02\n\x08\x45ndpoint\x12\x0f\n\x07\x61\x64\x64ress\x18\x01 \x01(\t\x12J\n\x05ports\x18\x02 \x03(\x0b\x32;.istio.networking.v1alpha3.ServiceEntry.Endpoint.PortsEntry\x12L\n\x06labels\x18\x03 \x03(\x0b\x32<.istio.networking.v1alpha3.ServiceEntry.Endpoint.LabelsEntry\x12\x0f\n\x07network\x18\x04 \x01(\t\x12\x10\n\x08locality\x18\x05 \x01(\t\x12\x0e\n\x06weight\x18\x06 \x01(\r\x1a,\n\nPortsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\r:\x02\x38\x01\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"0\n\x08Location\x12\x11\n\rMESH_EXTERNAL\x10\x00\x12\x11\n\rMESH_INTERNAL\x10\x01\"+\n\nResolution\x12\x08\n\x04NONE\x10\x00\x12\n\n\x06STATIC\x10\x01\x12\x07\n\x03\x44NS\x10\x02\x42\"Z istio.io/api/networking/v1alpha3b\x06proto3') , dependencies=[networking_dot_v1alpha3_dot_gateway__pb2.DESCRIPTOR,]) @@ -43,8 +43,8 @@ ], containing_type=None, options=None, - serialized_start=786, - serialized_end=834, + serialized_start=787, + serialized_end=835, ) _sym_db.RegisterEnumDescriptor(_SERVICEENTRY_LOCATION) @@ -69,8 +69,8 @@ ], containing_type=None, options=None, - serialized_start=836, - serialized_end=879, + serialized_start=837, + serialized_end=880, ) _sym_db.RegisterEnumDescriptor(_SERVICEENTRY_RESOLUTION) @@ -108,8 +108,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=693, - serialized_end=737, + serialized_start=694, + serialized_end=738, ) _SERVICEENTRY_ENDPOINT_LABELSENTRY = _descriptor.Descriptor( @@ -145,8 +145,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=739, - serialized_end=784, + serialized_start=740, + serialized_end=785, ) _SERVICEENTRY_ENDPOINT = _descriptor.Descriptor( @@ -210,8 +210,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=459, - serialized_end=784, + serialized_start=460, + serialized_end=785, ) _SERVICEENTRY = _descriptor.Descriptor( @@ -271,7 +271,7 @@ is_extension=False, extension_scope=None, options=None, file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='service_accounts', full_name='istio.networking.v1alpha3.ServiceEntry.service_accounts', index=7, + name='subject_alt_names', full_name='istio.networking.v1alpha3.ServiceEntry.subject_alt_names', index=7, number=8, type=9, cpp_type=9, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, @@ -292,7 +292,7 @@ oneofs=[ ], serialized_start=106, - serialized_end=879, + serialized_end=880, ) _SERVICEENTRY_ENDPOINT_PORTSENTRY.containing_type = _SERVICEENTRY_ENDPOINT From ce63c702e248d499092c33f37be8dab094e886ee Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Tue, 5 Feb 2019 09:49:06 -0800 Subject: [PATCH 5/7] Move example out of the message definition --- networking/v1alpha3/destination_rule.pb.go | 2 + networking/v1alpha3/destination_rule.proto | 2 + .../istio.networking.v1alpha3.pb.html | 30 ++++++++++- networking/v1alpha3/service_entry.pb.go | 53 ++++++++++--------- networking/v1alpha3/service_entry.proto | 53 ++++++++++--------- 5 files changed, 87 insertions(+), 53 deletions(-) diff --git a/networking/v1alpha3/destination_rule.pb.go b/networking/v1alpha3/destination_rule.pb.go index 1dd22cc9fc..1e054cdc6e 100644 --- a/networking/v1alpha3/destination_rule.pb.go +++ b/networking/v1alpha3/destination_rule.pb.go @@ -1228,6 +1228,8 @@ type TLSSettings struct { // A list of alternate names to verify the subject identity in the // certificate. If specified, the proxy will verify that the server // certificate's subject alt name matches one of the specified values. + // If specified, this list overrides the value of subject_alt_names + // from the ServiceEntry SubjectAltNames []string `protobuf:"bytes,5,rep,name=subject_alt_names,json=subjectAltNames" json:"subject_alt_names,omitempty"` // SNI string to present to the server during TLS handshake. Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"` diff --git a/networking/v1alpha3/destination_rule.proto b/networking/v1alpha3/destination_rule.proto index f622a2670e..eb1a58a6c6 100644 --- a/networking/v1alpha3/destination_rule.proto +++ b/networking/v1alpha3/destination_rule.proto @@ -577,6 +577,8 @@ message TLSSettings { // A list of alternate names to verify the subject identity in the // certificate. If specified, the proxy will verify that the server // certificate's subject alt name matches one of the specified values. + // If specified, this list overrides the value of subject_alt_names + // from the ServiceEntry repeated string subject_alt_names = 5; // SNI string to present to the server during TLS handshake. diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html index e83d3b10fc..2a1005a36c 100644 --- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html +++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html @@ -3386,6 +3386,32 @@

ServiceEntry

specified above. In other words, a call to http://foo.bar.com/baz would be translated to http://uk.foo.bar.com/baz.

+

The following example illustrates the usage of a ServiceEntry +containing a subject alternate name +whose format conforms to the SPIFEE standard +https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md:

+ +
apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: httpbin
+  namespace : httpbin-ns
+spec:
+  hosts:
+  - httpbin.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  endpoints:
+  - address: 2.2.2.2
+  - address: 3.3.3.3
+  subjectAltNames:
+  - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
+
+ @@ -4193,7 +4219,9 @@

TLSSettings

diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index 757e3ec8a3..ec0d097721 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -378,6 +378,33 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) { // specified above. In other words, a call to `http://foo.bar.com/baz` would // be translated to `http://uk.foo.bar.com/baz`. // +// The following example illustrates the usage of a ServiceEntry +// containing a subject alternate name +// whose format conforms to the SPIFEE standard +// : +// +// ```yaml +// apiVersion: networking.istio.io/v1alpha3 +// kind: ServiceEntry +// metadata: +// name: httpbin +// namespace : httpbin-ns +// spec: +// hosts: +// - httpbin.com +// location: MESH_INTERNAL +// ports: +// - number: 80 +// name: http +// protocol: HTTP +// resolution: STATIC +// endpoints: +// - address: 2.2.2.2 +// - address: 3.3.3.3 +// subjectAltNames: +// - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account" +// ``` +// type ServiceEntry struct { // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS // name with wildcard prefix (external services only). DNS names in hosts @@ -439,32 +466,6 @@ type ServiceEntry struct { // secure-naming . // If specified, the proxy will verify that the server // certificate's subject alternate name matches one of the specified values. - // - // The following example illustrates the usage of a subject alternate name - // whose format conforms to the SPIFEE standard - // : - // - // ```yaml - // apiVersion: networking.istio.io/v1alpha3 - // kind: ServiceEntry - // metadata: - // name: httpbin - // namespace : httpbin-ns - // spec: - // hosts: - // - httpbin.com - // location: MESH_INTERNAL - // ports: - // - number: 80 - // name: http - // protocol: HTTP - // resolution: STATIC - // endpoints: - // - address: 2.2.2.2 - // - address: 3.3.3.3 - // subjectAltNames: - // - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account" - // ``` SubjectAltNames []string `protobuf:"bytes,8,rep,name=subject_alt_names,json=subjectAltNames" json:"subject_alt_names,omitempty"` } diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 49773effa1..411fc366c0 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -299,6 +299,33 @@ option go_package = "istio.io/api/networking/v1alpha3"; // specified above. In other words, a call to `http://foo.bar.com/baz` would // be translated to `http://uk.foo.bar.com/baz`. // +// The following example illustrates the usage of a ServiceEntry +// containing a subject alternate name +// whose format conforms to the SPIFEE standard +// : +// +// ```yaml +// apiVersion: networking.istio.io/v1alpha3 +// kind: ServiceEntry +// metadata: +// name: httpbin +// namespace : httpbin-ns +// spec: +// hosts: +// - httpbin.com +// location: MESH_INTERNAL +// ports: +// - number: 80 +// name: http +// protocol: HTTP +// resolution: STATIC +// endpoints: +// - address: 2.2.2.2 +// - address: 3.3.3.3 +// subjectAltNames: +// - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account" +// ``` +// message ServiceEntry { // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS // name with wildcard prefix (external services only). DNS names in hosts @@ -468,31 +495,5 @@ message ServiceEntry { // secure-naming . // If specified, the proxy will verify that the server // certificate's subject alternate name matches one of the specified values. - // - // The following example illustrates the usage of a subject alternate name - // whose format conforms to the SPIFEE standard - // : - // - // ```yaml - // apiVersion: networking.istio.io/v1alpha3 - // kind: ServiceEntry - // metadata: - // name: httpbin - // namespace : httpbin-ns - // spec: - // hosts: - // - httpbin.com - // location: MESH_INTERNAL - // ports: - // - number: 80 - // name: http - // protocol: HTTP - // resolution: STATIC - // endpoints: - // - address: 2.2.2.2 - // - address: 3.3.3.3 - // subjectAltNames: - // - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account" - // ``` repeated string subject_alt_names = 8; } From 6c33e7ea1820d813cc93b0f61b676de4c7a138ef Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Tue, 5 Feb 2019 09:55:11 -0800 Subject: [PATCH 6/7] Added a period --- networking/v1alpha3/destination_rule.pb.go | 2 +- networking/v1alpha3/destination_rule.proto | 2 +- networking/v1alpha3/istio.networking.v1alpha3.pb.html | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/networking/v1alpha3/destination_rule.pb.go b/networking/v1alpha3/destination_rule.pb.go index 1e054cdc6e..229e1934c1 100644 --- a/networking/v1alpha3/destination_rule.pb.go +++ b/networking/v1alpha3/destination_rule.pb.go @@ -1229,7 +1229,7 @@ type TLSSettings struct { // certificate. If specified, the proxy will verify that the server // certificate's subject alt name matches one of the specified values. // If specified, this list overrides the value of subject_alt_names - // from the ServiceEntry + // from the ServiceEntry. SubjectAltNames []string `protobuf:"bytes,5,rep,name=subject_alt_names,json=subjectAltNames" json:"subject_alt_names,omitempty"` // SNI string to present to the server during TLS handshake. Sni string `protobuf:"bytes,6,opt,name=sni,proto3" json:"sni,omitempty"` diff --git a/networking/v1alpha3/destination_rule.proto b/networking/v1alpha3/destination_rule.proto index eb1a58a6c6..ff7b277d2c 100644 --- a/networking/v1alpha3/destination_rule.proto +++ b/networking/v1alpha3/destination_rule.proto @@ -578,7 +578,7 @@ message TLSSettings { // certificate. If specified, the proxy will verify that the server // certificate's subject alt name matches one of the specified values. // If specified, this list overrides the value of subject_alt_names - // from the ServiceEntry + // from the ServiceEntry. repeated string subject_alt_names = 5; // SNI string to present to the server during TLS handshake. diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html index 2a1005a36c..49506dd187 100644 --- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html +++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html @@ -4221,7 +4221,7 @@

TLSSettings

certificate. If specified, the proxy will verify that the server certificate’s subject alt name matches one of the specified values. If specified, this list overrides the value of subjectaltnames -from the ServiceEntry

+from the ServiceEntry.

From 3968507ae04e667fc88b75242fbc4ab1dc3fb877 Mon Sep 17 00:00:00 2001 From: Andra Cismaru Date: Tue, 5 Feb 2019 12:32:49 -0800 Subject: [PATCH 7/7] Remove hide_from_docs --- .../v1alpha3/istio.networking.v1alpha3.pb.html | 12 ++++++++++++ networking/v1alpha3/service_entry.pb.go | 1 - networking/v1alpha3/service_entry.proto | 1 - 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html index 49506dd187..5f32305833 100644 --- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html +++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html @@ -3491,6 +3491,18 @@

ServiceEntry

 + + + + + diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go index ec0d097721..fec6204361 100644 --- a/networking/v1alpha3/service_entry.pb.go +++ b/networking/v1alpha3/service_entry.pb.go @@ -460,7 +460,6 @@ type ServiceEntry struct { // the annotation "networking.istio.io/export_to" to a comma-separated list // of namespace names. ExportTo []string `protobuf:"bytes,7,rep,name=export_to,json=exportTo" json:"export_to,omitempty"` - // $hide_from_docs // The list of subject alternate names allowed for workloads that // implement this service. This information is used to enforce // secure-naming . diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto index 411fc366c0..94d4e92a42 100644 --- a/networking/v1alpha3/service_entry.proto +++ b/networking/v1alpha3/service_entry.proto @@ -489,7 +489,6 @@ message ServiceEntry { // of namespace names. repeated string export_to = 7; - // $hide_from_docs // The list of subject alternate names allowed for workloads that // implement this service. This information is used to enforce // secure-naming .

A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server -certificate’s subject alt name matches one of the specified values.

+certificate’s subject alt name matches one of the specified values. +If specified, this list overrides the value of subjectaltnames +from the ServiceEntry

One or more endpoints associated with the service.

+
subjectAltNamesstring[] +

The list of subject alternate names allowed for workloads that +implement this service. This information is used to enforce +secure-naming https://istio.io/docs/concepts/security/#secure-naming. +If specified, the proxy will verify that the server +certificate’s subject alternate name matches one of the specified values.

+