Sidecar Outbound Traffic Policy allow_any mode tweaks (#1279)

* Catch all egress gateway Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * doc updates Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * refactor Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * updates Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io> * updates 2 Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
istio · Feb 11, 2020 · 7e4faad · 7e4faad
1 parent 251e511
commit 7e4faad
Show file tree

Hide file tree

Showing 12 changed files with 451 additions and 246 deletions.
diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml
diff --git a/networking/v1alpha3/sidecar.gen.json b/networking/v1alpha3/sidecar.gen.json
@@ -6,6 +6,16 @@
   },
   "components": {
     "schemas": {
+      "istio.networking.v1alpha3.PortSelector": {
+        "description": "PortSelector specifies the number of a port to be used for matching or selection for final routing.",
+        "type": "object",
+        "properties": {
+          "number": {
+            "description": "Valid port number",
+            "type": "integer"
+          }
+        }
+      },
       "istio.networking.v1alpha3.WorkloadSelector": {
         "description": "`WorkloadSelector` specifies the criteria used to determine if the `Gateway`, `Sidecar`, or `EnvoyFilter` configuration can be applied to a proxy. The matching criteria includes the metadata associated with a proxy, workload instance info such as labels attached to the pod/VM, or any other info that the proxy provides to Istio during the initial handshake. If multiple conditions are specified, all conditions need to match in order for the workload instance to be selected. Currently, only label based selection mechanism is supported.",
         "type": "object",
@@ -217,6 +227,9 @@
         "properties": {
           "mode": {
             "$ref": "#/components/schemas/istio.networking.v1alpha3.OutboundTrafficPolicy.Mode"
+          },
+          "egressProxy": {
+            "$ref": "#/components/schemas/istio.networking.v1alpha3.Destination"
           }
         }
       },
@@ -235,6 +248,25 @@
           "REGISTRY_ONLY",
           "ALLOW_ANY"
         ]
+      },
+      "istio.networking.v1alpha3.Destination": {
+        "description": "Destination indicates the network addressable service to which the request/connection will be sent after processing a routing rule. The destination.host should unambiguously refer to a service in the service registry. Istio's service registry is composed of all the services found in the platform's service registry (e.g., Kubernetes services, Consul services), as well as services declared through the [ServiceEntry](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry) resource.",
+        "type": "object",
+        "properties": {
+          "host": {
+            "description": "The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by [ServiceEntry](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry). Traffic forwarded to destinations that are not found in either of the two, will be dropped.",
+            "type": "string",
+            "format": "string"
+          },
+          "port": {
+            "$ref": "#/components/schemas/istio.networking.v1alpha3.PortSelector"
+          },
+          "subset": {
+            "description": "The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.",
+            "type": "string",
+            "format": "string"
+          }
+        }
       }
     }
   }

diff --git a/networking/v1alpha3/sidecar.pb.go b/networking/v1alpha3/sidecar.pb.go
diff --git a/networking/v1alpha3/sidecar.pb.html b/networking/v1alpha3/sidecar.pb.html