authentication/v1alpha1/policy.pb.go (793 lines of code) (raw):
// Copyright 2018 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.35.1
// protoc (unknown)
// source: authentication/v1alpha1/policy.proto
// $schema: istio.authentication.v1alpha1.Policy
// $mode: package
// This package defines user-facing authentication policy.
package v1alpha1
import (
_ "google.golang.org/genproto/googleapis/api/annotations"
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
// $hide_from_docs
// Deprecated. When using security/v1beta1/RequestAuthentication, the request principal always
// comes from request authentication (i.e JWT).
// Associates authentication with request principal.
type PrincipalBinding int32
const (
// Principal will be set to the identity from peer authentication.
PrincipalBinding_USE_PEER PrincipalBinding = 0
// Principal will be set to the identity from origin authentication.
PrincipalBinding_USE_ORIGIN PrincipalBinding = 1
)
// Enum value maps for PrincipalBinding.
var (
PrincipalBinding_name = map[int32]string{
0: "USE_PEER",
1: "USE_ORIGIN",
}
PrincipalBinding_value = map[string]int32{
"USE_PEER": 0,
"USE_ORIGIN": 1,
}
)
func (x PrincipalBinding) Enum() *PrincipalBinding {
p := new(PrincipalBinding)
*p = x
return p
}
func (x PrincipalBinding) String() string {
return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
}
func (PrincipalBinding) Descriptor() protoreflect.EnumDescriptor {
return file_authentication_v1alpha1_policy_proto_enumTypes[0].Descriptor()
}
func (PrincipalBinding) Type() protoreflect.EnumType {
return &file_authentication_v1alpha1_policy_proto_enumTypes[0]
}
func (x PrincipalBinding) Number() protoreflect.EnumNumber {
return protoreflect.EnumNumber(x)
}
// Deprecated: Use PrincipalBinding.Descriptor instead.
func (PrincipalBinding) EnumDescriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{0}
}
// $hide_from_docs
// Defines the acceptable connection TLS mode.
type MutualTls_Mode int32
const (
// Client cert must be presented, connection is in TLS.
MutualTls_STRICT MutualTls_Mode = 0
// Connection can be either plaintext or TLS with Client cert.
MutualTls_PERMISSIVE MutualTls_Mode = 1
)
// Enum value maps for MutualTls_Mode.
var (
MutualTls_Mode_name = map[int32]string{
0: "STRICT",
1: "PERMISSIVE",
}
MutualTls_Mode_value = map[string]int32{
"STRICT": 0,
"PERMISSIVE": 1,
}
)
func (x MutualTls_Mode) Enum() *MutualTls_Mode {
p := new(MutualTls_Mode)
*p = x
return p
}
func (x MutualTls_Mode) String() string {
return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
}
func (MutualTls_Mode) Descriptor() protoreflect.EnumDescriptor {
return file_authentication_v1alpha1_policy_proto_enumTypes[1].Descriptor()
}
func (MutualTls_Mode) Type() protoreflect.EnumType {
return &file_authentication_v1alpha1_policy_proto_enumTypes[1]
}
func (x MutualTls_Mode) Number() protoreflect.EnumNumber {
return protoreflect.EnumNumber(x)
}
// Deprecated: Use MutualTls_Mode.Descriptor instead.
func (MutualTls_Mode) EnumDescriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{1, 0}
}
// $hide_from_docs
// Describes how to match a given string. Match is case-sensitive.
type StringMatch struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// Types that are assignable to MatchType:
//
// *StringMatch_Exact
// *StringMatch_Prefix
// *StringMatch_Suffix
// *StringMatch_Regex
MatchType isStringMatch_MatchType `protobuf_oneof:"match_type"`
}
func (x *StringMatch) Reset() {
*x = StringMatch{}
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *StringMatch) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*StringMatch) ProtoMessage() {}
func (x *StringMatch) ProtoReflect() protoreflect.Message {
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[0]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use StringMatch.ProtoReflect.Descriptor instead.
func (*StringMatch) Descriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{0}
}
func (m *StringMatch) GetMatchType() isStringMatch_MatchType {
if m != nil {
return m.MatchType
}
return nil
}
func (x *StringMatch) GetExact() string {
if x, ok := x.GetMatchType().(*StringMatch_Exact); ok {
return x.Exact
}
return ""
}
func (x *StringMatch) GetPrefix() string {
if x, ok := x.GetMatchType().(*StringMatch_Prefix); ok {
return x.Prefix
}
return ""
}
func (x *StringMatch) GetSuffix() string {
if x, ok := x.GetMatchType().(*StringMatch_Suffix); ok {
return x.Suffix
}
return ""
}
func (x *StringMatch) GetRegex() string {
if x, ok := x.GetMatchType().(*StringMatch_Regex); ok {
return x.Regex
}
return ""
}
type isStringMatch_MatchType interface {
isStringMatch_MatchType()
}
type StringMatch_Exact struct {
// exact string match.
Exact string `protobuf:"bytes,1,opt,name=exact,proto3,oneof"`
}
type StringMatch_Prefix struct {
// prefix-based match.
Prefix string `protobuf:"bytes,2,opt,name=prefix,proto3,oneof"`
}
type StringMatch_Suffix struct {
// suffix-based match.
Suffix string `protobuf:"bytes,3,opt,name=suffix,proto3,oneof"`
}
type StringMatch_Regex struct {
// RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
Regex string `protobuf:"bytes,4,opt,name=regex,proto3,oneof"`
}
func (*StringMatch_Exact) isStringMatch_MatchType() {}
func (*StringMatch_Prefix) isStringMatch_MatchType() {}
func (*StringMatch_Suffix) isStringMatch_MatchType() {}
func (*StringMatch_Regex) isStringMatch_MatchType() {}
// $hide_from_docs
// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
// TLS authentication params.
type MutualTls struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// Deprecated. Please use mode = PERMISSIVE instead.
// If set, will translate to `TLS_PERMISSIVE` mode.
// Set this flag to true to allow regular TLS (i.e without client x509
// certificate). If request carries client certificate, identity will be
// extracted and used (set to peer identity). Otherwise, peer identity will
// be left unset.
// When the flag is false (default), request must have client certificate.
//
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
AllowTls bool `protobuf:"varint,1,opt,name=allow_tls,json=allowTls,proto3" json:"allow_tls,omitempty"`
// Defines the mode of mTLS authentication.
Mode MutualTls_Mode `protobuf:"varint,2,opt,name=mode,proto3,enum=istio.authentication.v1alpha1.MutualTls_Mode" json:"mode,omitempty"`
}
func (x *MutualTls) Reset() {
*x = MutualTls{}
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *MutualTls) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*MutualTls) ProtoMessage() {}
func (x *MutualTls) ProtoReflect() protoreflect.Message {
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[1]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use MutualTls.ProtoReflect.Descriptor instead.
func (*MutualTls) Descriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{1}
}
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
func (x *MutualTls) GetAllowTls() bool {
if x != nil {
return x.AllowTls
}
return false
}
func (x *MutualTls) GetMode() MutualTls_Mode {
if x != nil {
return x.Mode
}
return MutualTls_STRICT
}
// $hide_from_docs
// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
// JSON Web Token (JWT) token format for authentication as defined by
// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole
// authentication flow.
//
// For example:
//
// A JWT for any requests:
//
// ```yaml
// issuer: https://example.com
// audiences:
// - bookstore_android.apps.googleusercontent.com
// bookstore_web.apps.googleusercontent.com
//
// jwksUri: https://example.com/.well-known/jwks.json
// ```
//
// A JWT for all requests except request at path `/health_check` and path with
// prefix `/status/`. This is useful to expose some paths for public access but
// keep others JWT validated.
//
// ```yaml
// issuer: https://example.com
// jwksUri: https://example.com/.well-known/jwks.json
// triggerRules:
// - excludedPaths:
// - exact: /health_check
// - prefix: /status/
//
// ```
//
// A JWT only for requests at path `/admin`. This is useful to only require JWT
// validation on a specific set of paths but keep others public accessible.
//
// ```yaml
// issuer: https://example.com
// jwksUri: https://example.com/.well-known/jwks.json
// triggerRules:
// - includedPaths:
// - prefix: /admin
//
// ```
//
// A JWT only for requests at path of prefix `/status/` but except the path of
// `/status/version`. This means for any request path with prefix `/status/` except
// `/status/version` will require a valid JWT to proceed.
//
// ```yaml
// issuer: https://example.com
// jwksUri: https://example.com/.well-known/jwks.json
// triggerRules:
// - excludedPaths:
// - exact: /status/version
// includedPaths:
// - prefix: /status/
//
// ```
type Jwt struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// Identifies the issuer that issued the JWT. See
// [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
// Usually a URL or an email address.
//
// Example: https://securetoken.google.com
// Example: 1234567-compute@developer.gserviceaccount.com
Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
// The list of JWT
// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
// that are allowed to access. A JWT containing any of these
// audiences will be accepted.
//
// The service name will be accepted if audiences is empty.
//
// Example:
//
// ```yaml
// audiences:
// - bookstore_android.apps.googleusercontent.com
// bookstore_web.apps.googleusercontent.com
//
// ```
Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
// URL of the provider's public key set to validate signature of the
// JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
//
// Optional if the key set document can either (a) be retrieved from
// [OpenID
// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
// the issuer or (b) inferred from the email domain of the issuer (e.g. a
// Google service account).
//
// Example: `https://www.googleapis.com/oauth2/v1/certs`
//
// Note: Only one of jwks_uri and jwks should be used.
JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri,proto3" json:"jwks_uri,omitempty"`
// JSON Web Key Set of public keys to validate signature of the JWT.
// See https://auth0.com/docs/jwks.
//
// Note: Only one of jwks_uri and jwks should be used.
Jwks string `protobuf:"bytes,10,opt,name=jwks,proto3" json:"jwks,omitempty"`
// JWT is sent in a request header. `header` represents the
// header name.
//
// For example, if `header=x-goog-iap-jwt-assertion`, the header
// format will be `x-goog-iap-jwt-assertion: <JWT>`.
JwtHeaders []string `protobuf:"bytes,6,rep,name=jwt_headers,json=jwtHeaders,proto3" json:"jwt_headers,omitempty"`
// JWT is sent in a query parameter. `query` represents the
// query parameter name.
//
// For example, `query=jwt_token`.
JwtParams []string `protobuf:"bytes,7,rep,name=jwt_params,json=jwtParams,proto3" json:"jwt_params,omitempty"`
// List of trigger rules to decide if this JWT should be used to validate the
// request. The JWT validation happens if any one of the rules matched.
// If the list is not empty and none of the rules matched, authentication will
// skip the JWT validation.
// Leave this empty to always trigger the JWT validation.
TriggerRules []*Jwt_TriggerRule `protobuf:"bytes,9,rep,name=trigger_rules,json=triggerRules,proto3" json:"trigger_rules,omitempty"`
}
func (x *Jwt) Reset() {
*x = Jwt{}
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *Jwt) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*Jwt) ProtoMessage() {}
func (x *Jwt) ProtoReflect() protoreflect.Message {
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[2]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use Jwt.ProtoReflect.Descriptor instead.
func (*Jwt) Descriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{2}
}
func (x *Jwt) GetIssuer() string {
if x != nil {
return x.Issuer
}
return ""
}
func (x *Jwt) GetAudiences() []string {
if x != nil {
return x.Audiences
}
return nil
}
func (x *Jwt) GetJwksUri() string {
if x != nil {
return x.JwksUri
}
return ""
}
func (x *Jwt) GetJwks() string {
if x != nil {
return x.Jwks
}
return ""
}
func (x *Jwt) GetJwtHeaders() []string {
if x != nil {
return x.JwtHeaders
}
return nil
}
func (x *Jwt) GetJwtParams() []string {
if x != nil {
return x.JwtParams
}
return nil
}
func (x *Jwt) GetTriggerRules() []*Jwt_TriggerRule {
if x != nil {
return x.TriggerRules
}
return nil
}
// $hide_from_docs
// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
// PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported
// at the moment.
// The type can be progammatically determine by checking the type of the
// "params" field.
type PeerAuthenticationMethod struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// $hide_from_docs
//
// Types that are assignable to Params:
//
// *PeerAuthenticationMethod_Mtls
// *PeerAuthenticationMethod_Jwt
Params isPeerAuthenticationMethod_Params `protobuf_oneof:"params"`
}
func (x *PeerAuthenticationMethod) Reset() {
*x = PeerAuthenticationMethod{}
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *PeerAuthenticationMethod) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PeerAuthenticationMethod) ProtoMessage() {}
func (x *PeerAuthenticationMethod) ProtoReflect() protoreflect.Message {
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[3]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PeerAuthenticationMethod.ProtoReflect.Descriptor instead.
func (*PeerAuthenticationMethod) Descriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{3}
}
func (m *PeerAuthenticationMethod) GetParams() isPeerAuthenticationMethod_Params {
if m != nil {
return m.Params
}
return nil
}
func (x *PeerAuthenticationMethod) GetMtls() *MutualTls {
if x, ok := x.GetParams().(*PeerAuthenticationMethod_Mtls); ok {
return x.Mtls
}
return nil
}
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
func (x *PeerAuthenticationMethod) GetJwt() *Jwt {
if x, ok := x.GetParams().(*PeerAuthenticationMethod_Jwt); ok {
return x.Jwt
}
return nil
}
type isPeerAuthenticationMethod_Params interface {
isPeerAuthenticationMethod_Params()
}
type PeerAuthenticationMethod_Mtls struct {
// Set if mTLS is used.
Mtls *MutualTls `protobuf:"bytes,1,opt,name=mtls,proto3,oneof"`
}
type PeerAuthenticationMethod_Jwt struct {
// $hide_from_docs
// Deprecated.
// Set if JWT is used. This option was never available.
//
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
Jwt *Jwt `protobuf:"bytes,2,opt,name=jwt,proto3,oneof"`
}
func (*PeerAuthenticationMethod_Mtls) isPeerAuthenticationMethod_Params() {}
func (*PeerAuthenticationMethod_Jwt) isPeerAuthenticationMethod_Params() {}
// $hide_from_docs
// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
// OriginAuthenticationMethod defines authentication method/params for origin
// authentication. Origin could be end-user, device, delegate service etc.
// Currently, only JWT is supported for origin authentication.
type OriginAuthenticationMethod struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// Jwt params for the method.
Jwt *Jwt `protobuf:"bytes,1,opt,name=jwt,proto3" json:"jwt,omitempty"`
}
func (x *OriginAuthenticationMethod) Reset() {
*x = OriginAuthenticationMethod{}
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *OriginAuthenticationMethod) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*OriginAuthenticationMethod) ProtoMessage() {}
func (x *OriginAuthenticationMethod) ProtoReflect() protoreflect.Message {
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[4]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use OriginAuthenticationMethod.ProtoReflect.Descriptor instead.
func (*OriginAuthenticationMethod) Descriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{4}
}
func (x *OriginAuthenticationMethod) GetJwt() *Jwt {
if x != nil {
return x.Jwt
}
return nil
}
// $hide_from_docs
// Policy defines what authentication methods can be accepted on workload(s),
// and if authenticated, which method/certificate will set the request principal
// (i.e request.auth.principal attribute).
//
// Authentication policy is composed of 2-part authentication:
// - peer: verify caller service credentials. This part will set source.user
// (peer identity).
// - origin: verify the origin credentials. This part will set request.auth.user
// (origin identity), as well as other attributes like request.auth.presenter,
// request.auth.audiences and raw claims. Note that the identity could be
// end-user, service account, device etc.
//
// Last but not least, the principal binding rule defines which identity (peer
// or origin) should be used as principal. By default, it uses peer.
//
// Examples:
//
// Policy to enable mTLS for all services in namespace frod. The policy name must be
// `default`, and it contains no rule for `targets`.
//
// ```yaml
// apiVersion: authentication.istio.io/v1alpha1
// kind: Policy
// metadata:
//
// name: default
// namespace: frod
//
// spec:
//
// peers:
// - mtls:
//
// ```
// Policy to disable mTLS for "productpage" service
//
// ```yaml
// apiVersion: authentication.istio.io/v1alpha1
// kind: Policy
// metadata:
//
// name: productpage-mTLS-disable
// namespace: frod
//
// spec:
//
// targets:
// - name: productpage
//
// ```
// Policy to require mTLS for peer authentication, and JWT for origin authentication
// for productpage:9000 except the path '/health_check' . Principal is set from origin identity.
//
// ```yaml
// apiVersion: authentication.istio.io/v1alpha1
// kind: Policy
// metadata:
//
// name: productpage-mTLS-with-JWT
// namespace: frod
//
// spec:
//
// targets:
// - name: productpage
// ports:
// - number: 9000
// peers:
// - mtls:
// origins:
// - jwt:
// issuer: "https://securetoken.google.com"
// audiences:
// - "productpage"
// jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
// jwtHeaders:
// - "x-goog-iap-jwt-assertion"
// triggerRules:
// - excludedPaths:
// - exact: /health_check
// principalBinding: USE_ORIGIN
//
// ```
type Policy struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// Deprecated. Only mesh-level and namespace-level policies are supported.
// List rules to select workloads that the policy should be applied on.
// If empty, policy will be used on all workloads in the same namespace.
//
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
Targets []*TargetSelector `protobuf:"bytes,1,rep,name=targets,proto3" json:"targets,omitempty"`
// $hide_from_docs
// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
// List of authentication methods that can be used for peer authentication.
// They will be evaluated in order; the first validate one will be used to
// set peer identity (source.user) and other peer attributes. If none of
// these methods pass, request will be rejected with authentication failed error (401).
// Leave the list empty if peer authentication is not required
Peers []*PeerAuthenticationMethod `protobuf:"bytes,2,rep,name=peers,proto3" json:"peers,omitempty"`
// Deprecated. Should set mTLS to PERMISSIVE instead.
// Set this flag to true to accept request (for peer authentication perspective),
// even when none of the peer authentication methods defined above satisfied.
// Typically, this is used to delay the rejection decision to next layer (e.g
// authorization).
// This flag is ignored if no authentication defined for peer (peers field is empty).
//
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
PeerIsOptional bool `protobuf:"varint,3,opt,name=peer_is_optional,json=peerIsOptional,proto3" json:"peer_is_optional,omitempty"`
// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
// List of authentication methods that can be used for origin authentication.
// Similar to peers, these will be evaluated in order; the first validate one
// will be used to set origin identity and attributes (i.e request.auth.user,
// request.auth.issuer etc). If none of these methods pass, request will be
// rejected with authentication failed error (401).
// A method may be skipped, depends on its trigger rule. If all of these methods
// are skipped, origin authentication will be ignored, as if it is not defined.
// Leave the list empty if origin authentication is not required.
//
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
Origins []*OriginAuthenticationMethod `protobuf:"bytes,4,rep,name=origins,proto3" json:"origins,omitempty"`
// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
// Set this flag to true to accept request (for origin authentication perspective),
// even when none of the origin authentication methods defined above satisfied.
// Typically, this is used to delay the rejection decision to next layer (e.g
// authorization).
// This flag is ignored if no authentication defined for origin (origins field is empty).
//
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
OriginIsOptional bool `protobuf:"varint,5,opt,name=origin_is_optional,json=originIsOptional,proto3" json:"origin_is_optional,omitempty"`
// Deprecated. Source principal is always from peer, and request principal is always from
// RequestAuthentication.
// Define whether peer or origin identity should be use for principal. Default
// value is USE_PEER.
// If peer (or origin) identity is not available, either because of peer/origin
// authentication is not defined, or failed, principal will be left unset.
// In other words, binding rule does not affect the decision to accept or
// reject request.
//
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
PrincipalBinding PrincipalBinding `protobuf:"varint,6,opt,name=principal_binding,json=principalBinding,proto3,enum=istio.authentication.v1alpha1.PrincipalBinding" json:"principal_binding,omitempty"`
}
func (x *Policy) Reset() {
*x = Policy{}
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[5]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *Policy) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*Policy) ProtoMessage() {}
func (x *Policy) ProtoReflect() protoreflect.Message {
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[5]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use Policy.ProtoReflect.Descriptor instead.
func (*Policy) Descriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{5}
}
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
func (x *Policy) GetTargets() []*TargetSelector {
if x != nil {
return x.Targets
}
return nil
}
func (x *Policy) GetPeers() []*PeerAuthenticationMethod {
if x != nil {
return x.Peers
}
return nil
}
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
func (x *Policy) GetPeerIsOptional() bool {
if x != nil {
return x.PeerIsOptional
}
return false
}
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
func (x *Policy) GetOrigins() []*OriginAuthenticationMethod {
if x != nil {
return x.Origins
}
return nil
}
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
func (x *Policy) GetOriginIsOptional() bool {
if x != nil {
return x.OriginIsOptional
}
return false
}
// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
func (x *Policy) GetPrincipalBinding() PrincipalBinding {
if x != nil {
return x.PrincipalBinding
}
return PrincipalBinding_USE_PEER
}
// $hide_from_docs
// Deprecated. Only support mesh and namespace level policy in the future.
// TargetSelector defines a matching rule to a workload. A workload is selected
// if it is associated with the service name and service port(s) specified in the selector rule.
type TargetSelector struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// The name must be a short name from the service registry. The
// fully qualified domain name will be resolved in a platform specific manner.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports.
// For example, if a service is defined as below, then `8000` should be used, not `9000`.
// ```yaml
// kind: Service
// metadata:
//
// ...
//
// spec:
//
// ports:
// - name: http
// port: 8000
// targetPort: 9000
// selector:
// app: backend
//
// ```
// Leave empty to match all ports that are exposed.
Ports []*PortSelector `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"`
}
func (x *TargetSelector) Reset() {
*x = TargetSelector{}
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[6]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *TargetSelector) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*TargetSelector) ProtoMessage() {}
func (x *TargetSelector) ProtoReflect() protoreflect.Message {
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[6]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use TargetSelector.ProtoReflect.Descriptor instead.
func (*TargetSelector) Descriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{6}
}
func (x *TargetSelector) GetName() string {
if x != nil {
return x.Name
}
return ""
}
func (x *TargetSelector) GetPorts() []*PortSelector {
if x != nil {
return x.Ports
}
return nil
}
// $hide_from_docs
// Deprecated. Only support mesh and namespace level policy in the future.
// PortSelector specifies the name or number of a port to be used for
// matching targets for authentication policy. This is copied from
// networking API to avoid dependency.
type PortSelector struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// Types that are assignable to Port:
//
// *PortSelector_Number
// *PortSelector_Name
Port isPortSelector_Port `protobuf_oneof:"port"`
}
func (x *PortSelector) Reset() {
*x = PortSelector{}
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[7]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *PortSelector) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PortSelector) ProtoMessage() {}
func (x *PortSelector) ProtoReflect() protoreflect.Message {
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[7]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PortSelector.ProtoReflect.Descriptor instead.
func (*PortSelector) Descriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{7}
}
func (m *PortSelector) GetPort() isPortSelector_Port {
if m != nil {
return m.Port
}
return nil
}
func (x *PortSelector) GetNumber() uint32 {
if x, ok := x.GetPort().(*PortSelector_Number); ok {
return x.Number
}
return 0
}
func (x *PortSelector) GetName() string {
if x, ok := x.GetPort().(*PortSelector_Name); ok {
return x.Name
}
return ""
}
type isPortSelector_Port interface {
isPortSelector_Port()
}
type PortSelector_Number struct {
// Valid port number
Number uint32 `protobuf:"varint,1,opt,name=number,proto3,oneof"`
}
type PortSelector_Name struct {
// Port name
Name string `protobuf:"bytes,2,opt,name=name,proto3,oneof"`
}
func (*PortSelector_Number) isPortSelector_Port() {}
func (*PortSelector_Name) isPortSelector_Port() {}
// $hide_from_docs
// Trigger rule to match against a request. The trigger rule is satisfied if
// and only if both rules, excluded_paths and include_paths are satisfied.
type Jwt_TriggerRule struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// List of paths to be excluded from the request. The rule is satisfied if
// request path does not match to any of the path in this list.
ExcludedPaths []*StringMatch `protobuf:"bytes,1,rep,name=excluded_paths,json=excludedPaths,proto3" json:"excluded_paths,omitempty"`
// List of paths that the request must include. If the list is not empty, the
// rule is satisfied if request path matches at least one of the path in the list.
// If the list is empty, the rule is ignored, in other words the rule is always satisfied.
IncludedPaths []*StringMatch `protobuf:"bytes,2,rep,name=included_paths,json=includedPaths,proto3" json:"included_paths,omitempty"`
}
func (x *Jwt_TriggerRule) Reset() {
*x = Jwt_TriggerRule{}
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[8]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *Jwt_TriggerRule) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*Jwt_TriggerRule) ProtoMessage() {}
func (x *Jwt_TriggerRule) ProtoReflect() protoreflect.Message {
mi := &file_authentication_v1alpha1_policy_proto_msgTypes[8]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use Jwt_TriggerRule.ProtoReflect.Descriptor instead.
func (*Jwt_TriggerRule) Descriptor() ([]byte, []int) {
return file_authentication_v1alpha1_policy_proto_rawDescGZIP(), []int{2, 0}
}
func (x *Jwt_TriggerRule) GetExcludedPaths() []*StringMatch {
if x != nil {
return x.ExcludedPaths
}
return nil
}
func (x *Jwt_TriggerRule) GetIncludedPaths() []*StringMatch {
if x != nil {
return x.IncludedPaths
}
return nil
}
var File_authentication_v1alpha1_policy_proto protoreflect.FileDescriptor
var file_authentication_v1alpha1_policy_proto_rawDesc = []byte{
0x0a, 0x24, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75,
0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61,
0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70,
0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72,
0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x7f, 0x0a, 0x0b, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67,
0x4d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x16, 0x0a, 0x05, 0x65, 0x78, 0x61, 0x63, 0x74, 0x18, 0x01,
0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x65, 0x78, 0x61, 0x63, 0x74, 0x12, 0x18, 0x0a,
0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52,
0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x18, 0x0a, 0x06, 0x73, 0x75, 0x66, 0x66, 0x69,
0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x06, 0x73, 0x75, 0x66, 0x66, 0x69,
0x78, 0x12, 0x16, 0x0a, 0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09,
0x48, 0x00, 0x52, 0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x42, 0x0c, 0x0a, 0x0a, 0x6d, 0x61, 0x74,
0x63, 0x68, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x22, 0x93, 0x01, 0x0a, 0x09, 0x4d, 0x75, 0x74, 0x75,
0x61, 0x6c, 0x54, 0x6c, 0x73, 0x12, 0x1f, 0x0a, 0x09, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x74,
0x6c, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x08, 0x61, 0x6c,
0x6c, 0x6f, 0x77, 0x54, 0x6c, 0x73, 0x12, 0x41, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x02,
0x20, 0x01, 0x28, 0x0e, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74,
0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c,
0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x54, 0x6c, 0x73, 0x2e, 0x4d,
0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x22, 0x22, 0x0a, 0x04, 0x4d, 0x6f, 0x64,
0x65, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x54, 0x52, 0x49, 0x43, 0x54, 0x10, 0x00, 0x12, 0x0e, 0x0a,
0x0a, 0x50, 0x45, 0x52, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x01, 0x22, 0xb5, 0x03,
0x0a, 0x03, 0x4a, 0x77, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18,
0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a,
0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09,
0x52, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08, 0x6a,
0x77, 0x6b, 0x73, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6a,
0x77, 0x6b, 0x73, 0x55, 0x72, 0x69, 0x12, 0x12, 0x0a, 0x04, 0x6a, 0x77, 0x6b, 0x73, 0x18, 0x0a,
0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6a, 0x77, 0x6b, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x6a, 0x77,
0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52,
0x0a, 0x6a, 0x77, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x6a,
0x77, 0x74, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52,
0x09, 0x6a, 0x77, 0x74, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x12, 0x53, 0x0a, 0x0d, 0x74, 0x72,
0x69, 0x67, 0x67, 0x65, 0x72, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28,
0x0b, 0x32, 0x2e, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e,
0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
0x31, 0x2e, 0x4a, 0x77, 0x74, 0x2e, 0x54, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x75, 0x6c,
0x65, 0x52, 0x0c, 0x74, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x1a,
0xb3, 0x01, 0x0a, 0x0b, 0x54, 0x72, 0x69, 0x67, 0x67, 0x65, 0x72, 0x52, 0x75, 0x6c, 0x65, 0x12,
0x51, 0x0a, 0x0e, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x64, 0x5f, 0x70, 0x61, 0x74, 0x68,
0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76,
0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x4d, 0x61,
0x74, 0x63, 0x68, 0x52, 0x0d, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x64, 0x50, 0x61, 0x74,
0x68, 0x73, 0x12, 0x51, 0x0a, 0x0e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x64, 0x5f, 0x70,
0x61, 0x74, 0x68, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x69, 0x73, 0x74,
0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e,
0x67, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x0d, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x64,
0x50, 0x61, 0x74, 0x68, 0x73, 0x22, 0xa0, 0x01, 0x0a, 0x18, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75,
0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x65, 0x74, 0x68,
0x6f, 0x64, 0x12, 0x3e, 0x0a, 0x04, 0x6d, 0x74, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x28, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74,
0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x54, 0x6c, 0x73, 0x48, 0x00, 0x52, 0x04, 0x6d, 0x74,
0x6c, 0x73, 0x12, 0x3a, 0x0a, 0x03, 0x6a, 0x77, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
0x22, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69,
0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
0x4a, 0x77, 0x74, 0x42, 0x02, 0x18, 0x01, 0x48, 0x00, 0x52, 0x03, 0x6a, 0x77, 0x74, 0x42, 0x08,
0x0a, 0x06, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x22, 0x52, 0x0a, 0x1a, 0x4f, 0x72, 0x69, 0x67,
0x69, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x34, 0x0a, 0x03, 0x6a, 0x77, 0x74, 0x18, 0x01, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68,
0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
0x68, 0x61, 0x31, 0x2e, 0x4a, 0x77, 0x74, 0x52, 0x03, 0x6a, 0x77, 0x74, 0x22, 0xbf, 0x03, 0x0a,
0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x4b, 0x0a, 0x07, 0x74, 0x61, 0x72, 0x67, 0x65,
0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f,
0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e,
0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x53,
0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x42, 0x02, 0x18, 0x01, 0x52, 0x07, 0x74, 0x61, 0x72,
0x67, 0x65, 0x74, 0x73, 0x12, 0x4d, 0x0a, 0x05, 0x70, 0x65, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20,
0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68,
0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
0x68, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69,
0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x52, 0x05, 0x70, 0x65,
0x65, 0x72, 0x73, 0x12, 0x2c, 0x0a, 0x10, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x69, 0x73, 0x5f, 0x6f,
0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18,
0x01, 0x52, 0x0e, 0x70, 0x65, 0x65, 0x72, 0x49, 0x73, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61,
0x6c, 0x12, 0x57, 0x0a, 0x07, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03,
0x28, 0x0b, 0x32, 0x39, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65,
0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
0x61, 0x31, 0x2e, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74,
0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x42, 0x02, 0x18,
0x01, 0x52, 0x07, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x73, 0x12, 0x30, 0x0a, 0x12, 0x6f, 0x72,
0x69, 0x67, 0x69, 0x6e, 0x5f, 0x69, 0x73, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c,
0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10, 0x6f, 0x72, 0x69, 0x67,
0x69, 0x6e, 0x49, 0x73, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x12, 0x60, 0x0a, 0x11,
0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x5f, 0x62, 0x69, 0x6e, 0x64, 0x69, 0x6e,
0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76,
0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61,
0x6c, 0x42, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x42, 0x02, 0x18, 0x01, 0x52, 0x10, 0x70, 0x72,
0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x42, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x22, 0x7b,
0x0a, 0x0e, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
0x12, 0x18, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04,
0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x41, 0x0a, 0x05, 0x70, 0x6f,
0x72, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69,
0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x53, 0x65,
0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x4a, 0x04, 0x08,
0x03, 0x10, 0x04, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x22, 0x46, 0x0a, 0x0c, 0x50,
0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x18, 0x0a, 0x06, 0x6e,
0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x06, 0x6e,
0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20,
0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x42, 0x06, 0x0a, 0x04, 0x70,
0x6f, 0x72, 0x74, 0x2a, 0x30, 0x0a, 0x10, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c,
0x42, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x0c, 0x0a, 0x08, 0x55, 0x53, 0x45, 0x5f, 0x50,
0x45, 0x45, 0x52, 0x10, 0x00, 0x12, 0x0e, 0x0a, 0x0a, 0x55, 0x53, 0x45, 0x5f, 0x4f, 0x52, 0x49,
0x47, 0x49, 0x4e, 0x10, 0x01, 0x42, 0x26, 0x5a, 0x24, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69,
0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70,
0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
file_authentication_v1alpha1_policy_proto_rawDescOnce sync.Once
file_authentication_v1alpha1_policy_proto_rawDescData = file_authentication_v1alpha1_policy_proto_rawDesc
)
func file_authentication_v1alpha1_policy_proto_rawDescGZIP() []byte {
file_authentication_v1alpha1_policy_proto_rawDescOnce.Do(func() {
file_authentication_v1alpha1_policy_proto_rawDescData = protoimpl.X.CompressGZIP(file_authentication_v1alpha1_policy_proto_rawDescData)
})
return file_authentication_v1alpha1_policy_proto_rawDescData
}
var file_authentication_v1alpha1_policy_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
var file_authentication_v1alpha1_policy_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
var file_authentication_v1alpha1_policy_proto_goTypes = []any{
(PrincipalBinding)(0), // 0: istio.authentication.v1alpha1.PrincipalBinding
(MutualTls_Mode)(0), // 1: istio.authentication.v1alpha1.MutualTls.Mode
(*StringMatch)(nil), // 2: istio.authentication.v1alpha1.StringMatch
(*MutualTls)(nil), // 3: istio.authentication.v1alpha1.MutualTls
(*Jwt)(nil), // 4: istio.authentication.v1alpha1.Jwt
(*PeerAuthenticationMethod)(nil), // 5: istio.authentication.v1alpha1.PeerAuthenticationMethod
(*OriginAuthenticationMethod)(nil), // 6: istio.authentication.v1alpha1.OriginAuthenticationMethod
(*Policy)(nil), // 7: istio.authentication.v1alpha1.Policy
(*TargetSelector)(nil), // 8: istio.authentication.v1alpha1.TargetSelector
(*PortSelector)(nil), // 9: istio.authentication.v1alpha1.PortSelector
(*Jwt_TriggerRule)(nil), // 10: istio.authentication.v1alpha1.Jwt.TriggerRule
}
var file_authentication_v1alpha1_policy_proto_depIdxs = []int32{
1, // 0: istio.authentication.v1alpha1.MutualTls.mode:type_name -> istio.authentication.v1alpha1.MutualTls.Mode
10, // 1: istio.authentication.v1alpha1.Jwt.trigger_rules:type_name -> istio.authentication.v1alpha1.Jwt.TriggerRule
3, // 2: istio.authentication.v1alpha1.PeerAuthenticationMethod.mtls:type_name -> istio.authentication.v1alpha1.MutualTls
4, // 3: istio.authentication.v1alpha1.PeerAuthenticationMethod.jwt:type_name -> istio.authentication.v1alpha1.Jwt
4, // 4: istio.authentication.v1alpha1.OriginAuthenticationMethod.jwt:type_name -> istio.authentication.v1alpha1.Jwt
8, // 5: istio.authentication.v1alpha1.Policy.targets:type_name -> istio.authentication.v1alpha1.TargetSelector
5, // 6: istio.authentication.v1alpha1.Policy.peers:type_name -> istio.authentication.v1alpha1.PeerAuthenticationMethod
6, // 7: istio.authentication.v1alpha1.Policy.origins:type_name -> istio.authentication.v1alpha1.OriginAuthenticationMethod
0, // 8: istio.authentication.v1alpha1.Policy.principal_binding:type_name -> istio.authentication.v1alpha1.PrincipalBinding
9, // 9: istio.authentication.v1alpha1.TargetSelector.ports:type_name -> istio.authentication.v1alpha1.PortSelector
2, // 10: istio.authentication.v1alpha1.Jwt.TriggerRule.excluded_paths:type_name -> istio.authentication.v1alpha1.StringMatch
2, // 11: istio.authentication.v1alpha1.Jwt.TriggerRule.included_paths:type_name -> istio.authentication.v1alpha1.StringMatch
12, // [12:12] is the sub-list for method output_type
12, // [12:12] is the sub-list for method input_type
12, // [12:12] is the sub-list for extension type_name
12, // [12:12] is the sub-list for extension extendee
0, // [0:12] is the sub-list for field type_name
}
func init() { file_authentication_v1alpha1_policy_proto_init() }
func file_authentication_v1alpha1_policy_proto_init() {
if File_authentication_v1alpha1_policy_proto != nil {
return
}
file_authentication_v1alpha1_policy_proto_msgTypes[0].OneofWrappers = []any{
(*StringMatch_Exact)(nil),
(*StringMatch_Prefix)(nil),
(*StringMatch_Suffix)(nil),
(*StringMatch_Regex)(nil),
}
file_authentication_v1alpha1_policy_proto_msgTypes[3].OneofWrappers = []any{
(*PeerAuthenticationMethod_Mtls)(nil),
(*PeerAuthenticationMethod_Jwt)(nil),
}
file_authentication_v1alpha1_policy_proto_msgTypes[7].OneofWrappers = []any{
(*PortSelector_Number)(nil),
(*PortSelector_Name)(nil),
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_authentication_v1alpha1_policy_proto_rawDesc,
NumEnums: 2,
NumMessages: 9,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_authentication_v1alpha1_policy_proto_goTypes,
DependencyIndexes: file_authentication_v1alpha1_policy_proto_depIdxs,
EnumInfos: file_authentication_v1alpha1_policy_proto_enumTypes,
MessageInfos: file_authentication_v1alpha1_policy_proto_msgTypes,
}.Build()
File_authentication_v1alpha1_policy_proto = out.File
file_authentication_v1alpha1_policy_proto_rawDesc = nil
file_authentication_v1alpha1_policy_proto_goTypes = nil
file_authentication_v1alpha1_policy_proto_depIdxs = nil
}