From 4228ef2611906cd4cdb0d91145b254d9db0fe73f Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 23 Mar 2021 11:12:53 +0900 Subject: [PATCH 1/6] Add SPIFFE independent multiple trust domain API. Signed-off-by: Takeshi Yoneda --- kubernetes/customresourcedefinitions.gen.yaml | 6 + mesh/v1alpha1/config.pb.go | 439 +++++++++++------- mesh/v1alpha1/config.proto | 26 ++ mesh/v1alpha1/istio.mesh.v1alpha1.gen.json | 11 + mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 42 ++ python/istio_api/mesh/v1alpha1/config_pb2.py | 120 ++--- .../v1beta1/authorization_policy_pb2.py | 19 +- .../v1beta1/authorization_policy.gen.json | 8 + security/v1beta1/authorization_policy.pb.go | 159 +++++-- security/v1beta1/authorization_policy.pb.html | 12 + security/v1beta1/authorization_policy.proto | 4 + 11 files changed, 577 insertions(+), 269 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 1c69397a4bc..e02a13d044a 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -5519,6 +5519,12 @@ spec: format: string type: string type: array + trustDomains: + description: Optional. + items: + format: string + type: string + type: array type: object type: object type: array diff --git a/mesh/v1alpha1/config.pb.go b/mesh/v1alpha1/config.pb.go index 36fba099d59..a990fe445aa 100644 --- a/mesh/v1alpha1/config.pb.go +++ b/mesh/v1alpha1/config.pb.go @@ -319,6 +319,24 @@ type MeshConfig struct { // are automatically added by Istiod. // The CA certificate that signs the workload certificates is automatically added by Istio Agent. CaCertificates []*MeshConfig_CertificateData `protobuf:"bytes,58,rep,name=ca_certificates,json=caCertificates,proto3" json:"caCertificates,omitempty"` + // If enabled, SPIFFE multiple independent trust domain authentication scheme is used for mTSL client certificate validation. + // That means, all the root certificates specified in `ca_certificates` and the self-signed 'istio-ca-secret' secret are used to + // validate client certificates while keeping them isolated from each other. + // More precisely, the proxy validates client certificates with the following procedure: + // 1. Extract the SVID(URI SAN) in an incoming client certificate. + // 2. Select a root certificate for the trust domain in the SVID (E.g. "example.com" for "spiffe://example.com/foo" SVID). + // 3. Verify the certificate using the selected root certificate. + // This is a particular importance for cross cluster mTLS communication where each cluster manages their own root certificates. + // For example, consider the case where a cluster A manages the trust domain "aaa.com", cluster B manages "bbb.com". + // When services in cluster A talk to services in cluster B, services in cluster B has to validate client certificates + // based on the root certificates of cluster A. However, if we merge root certificates from both cluster A and cluster B, + // then we cannot trust that presented client certificates are actually signed by the corresponding cluster. That is because + // cluster A might sign client certificates with "spiffe://bbb.com/**" URI SAN in order to bypass + // cluster B's authorization based on workload identity. In that case, we say these trust domains are NOT isolated from each other. + // This is why we need to select root certificates based on the trust domain before verify client certificates. + // + // Please note that this setting requires `STRICT` mTLS mode to take into effect. + EnabledSpiffeMultipleIndependentTrustDomainAuthentication bool `protobuf:"varint,60,opt,name=enabled_spiffe_multiple_independent_trust_domain_authentication,json=enabledSpiffeMultipleIndependentTrustDomainAuthentication,proto3" json:"enabledSpiffeMultipleIndependentTrustDomainAuthentication,omitempty"` // The default value for the ServiceEntry.export_to field and services // imported through container registry integrations, e.g. this applies to // Kubernetes Service resources. The value is a list of namespace names and @@ -669,6 +687,13 @@ func (m *MeshConfig) GetCaCertificates() []*MeshConfig_CertificateData { return nil } +func (m *MeshConfig) GetEnabledSpiffeMultipleIndependentTrustDomainAuthentication() bool { + if m != nil { + return m.EnabledSpiffeMultipleIndependentTrustDomainAuthentication + } + return false +} + func (m *MeshConfig) GetDefaultServiceExportTo() []string { if m != nil { return m.DefaultServiceExportTo @@ -839,10 +864,16 @@ type MeshConfig_CertificateData struct { // Types that are valid to be assigned to CertificateData: // *MeshConfig_CertificateData_Pem // *MeshConfig_CertificateData_SpiffeBundleUrl - CertificateData isMeshConfig_CertificateData_CertificateData `protobuf_oneof:"certificate_data"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + CertificateData isMeshConfig_CertificateData_CertificateData `protobuf_oneof:"certificate_data"` + // Optional. Specify the trust domain to which this certificate data belongs. + // If `enabled_spiffe_multiple_independent_trust_domain_authentication` enabled, this must be set for + // distinguishing different trust domains from each other. Certificates in a same trust domain will be merged + // and used together to validate the trust domain. + // If `enabled_spiffe_multiple_independent_trust_domain_authentication` disabled, it is not necessary to set. + TrustDomain string `protobuf:"bytes,3,opt,name=trust_domain,json=trustDomain,proto3" json:"trustDomain,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *MeshConfig_CertificateData) Reset() { *m = MeshConfig_CertificateData{} } @@ -915,6 +946,13 @@ func (m *MeshConfig_CertificateData) GetSpiffeBundleUrl() string { return "" } +func (m *MeshConfig_CertificateData) GetTrustDomain() string { + if m != nil { + return m.TrustDomain + } + return "" +} + // XXX_OneofWrappers is for the internal use of the proto package. func (*MeshConfig_CertificateData) XXX_OneofWrappers() []interface{} { return []interface{}{ @@ -1704,162 +1742,165 @@ func init() { func init() { proto.RegisterFile("mesh/v1alpha1/config.proto", fileDescriptor_b5c7ece76d5d5022) } var fileDescriptor_b5c7ece76d5d5022 = []byte{ - // 2465 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x58, 0x5b, 0x72, 0x1b, 0xc7, - 0xb9, 0x26, 0xc8, 0xb1, 0x34, 0x6c, 0x12, 0xc4, 0xb0, 0x49, 0x4a, 0x23, 0xc8, 0xa2, 0x28, 0xda, - 0x92, 0x68, 0x1d, 0x1f, 0xc0, 0xa4, 0x7c, 0x91, 0xed, 0xaa, 0x53, 0x87, 0x04, 0x20, 0x91, 0x30, - 0x44, 0xf0, 0x34, 0x41, 0xf9, 0xf6, 0xd0, 0xd5, 0x9c, 0x69, 0x00, 0x73, 0x38, 0x98, 0x9e, 0x74, - 0xf7, 0x50, 0xa4, 0xab, 0xb2, 0x82, 0x2c, 0x21, 0x6b, 0x48, 0x16, 0x90, 0x15, 0xa4, 0x2a, 0x2f, - 0x79, 0xc8, 0x02, 0x52, 0x7e, 0xc9, 0x12, 0xf2, 0x9a, 0xea, 0xcb, 0x00, 0x20, 0x89, 0x18, 0x76, - 0x2a, 0x95, 0x37, 0xcc, 0xd7, 0xff, 0xff, 0x75, 0xf7, 0xdf, 0xff, 0x15, 0xa0, 0x3c, 0xa0, 0xa2, - 0x5f, 0x3d, 0xdf, 0x26, 0x71, 0xda, 0x27, 0xdb, 0xd5, 0x80, 0x25, 0xdd, 0xa8, 0x57, 0x49, 0x39, - 0x93, 0x0c, 0xae, 0x44, 0x42, 0x46, 0xac, 0xa2, 0x24, 0x2a, 0xb9, 0x44, 0x79, 0xbd, 0xc7, 0x58, - 0x2f, 0xa6, 0x55, 0x2d, 0x72, 0x9a, 0x75, 0xab, 0x61, 0xc6, 0x89, 0x8c, 0x58, 0x62, 0x94, 0x6e, - 0xae, 0xbf, 0xe5, 0x24, 0x4d, 0x29, 0x17, 0x76, 0xfd, 0xde, 0xd5, 0x0d, 0x53, 0xce, 0x2e, 0x2e, - 0xed, 0xd2, 0xb3, 0x84, 0xca, 0xb7, 0x8c, 0x9f, 0x45, 0x49, 0x2f, 0x17, 0x78, 0x5e, 0x0d, 0xa9, - 0x90, 0x51, 0xa2, 0x77, 0xc0, 0x3c, 0x8b, 0xa9, 0x95, 0xfd, 0xf8, 0xec, 0x85, 0xa8, 0x44, 0xac, - 0x4a, 0xd2, 0x68, 0x40, 0x82, 0x7e, 0x94, 0x50, 0x7e, 0x59, 0x4d, 0xcf, 0x7a, 0x0a, 0x10, 0xd5, - 0x01, 0x95, 0xa4, 0x7a, 0xbe, 0x5d, 0xed, 0xd1, 0x84, 0x72, 0x22, 0x69, 0x68, 0xb4, 0x36, 0xff, - 0xb0, 0x05, 0xc0, 0x6b, 0x2a, 0xfa, 0x35, 0x7d, 0x4d, 0xf8, 0x0c, 0x2c, 0xeb, 0xfd, 0x71, 0x1c, - 0x09, 0x49, 0x13, 0x9c, 0x32, 0x2e, 0x7d, 0x67, 0xa3, 0xb0, 0xf5, 0x0e, 0x2a, 0xe9, 0x85, 0x96, - 0xc6, 0x8f, 0x18, 0x97, 0xf0, 0x09, 0x30, 0x10, 0xee, 0x4b, 0x99, 0x1a, 0xc9, 0x77, 0xb4, 0x64, - 0x51, 0xc3, 0xfb, 0x52, 0xa6, 0x5a, 0x6e, 0x0f, 0x94, 0x02, 0x96, 0x24, 0x34, 0x90, 0x58, 0x46, - 0x03, 0xca, 0x32, 0xe9, 0xdf, 0xda, 0x28, 0x6c, 0x2d, 0xec, 0xdc, 0xab, 0x18, 0xcb, 0x54, 0x72, - 0xcb, 0x54, 0xea, 0xd6, 0x72, 0x68, 0xc9, 0x6a, 0x74, 0x8c, 0x02, 0xfc, 0x1a, 0x94, 0xb5, 0x50, - 0xc0, 0x62, 0x1c, 0x52, 0x49, 0x03, 0x7d, 0xfb, 0x9c, 0xee, 0xd9, 0x34, 0x3a, 0x3f, 0x57, 0xae, - 0xe7, 0xba, 0x39, 0x31, 0x03, 0x45, 0x19, 0xa4, 0xf8, 0x8c, 0xd2, 0x94, 0xc4, 0xd1, 0x39, 0xf5, - 0xdf, 0xd5, 0x5c, 0xcd, 0x8a, 0x79, 0xe9, 0x91, 0xfd, 0xf3, 0xf7, 0x7e, 0x5e, 0xa9, 0x99, 0xa3, - 0x45, 0x2c, 0x39, 0x62, 0x2c, 0x3e, 0xa6, 0x52, 0x46, 0x49, 0x4f, 0x54, 0x3a, 0xb5, 0xa3, 0xd1, - 0xef, 0x20, 0xfd, 0x2a, 0x67, 0x44, 0x8b, 0x72, 0xec, 0x0b, 0xbe, 0x07, 0x8a, 0x51, 0xd2, 0xe3, - 0x54, 0x08, 0x1c, 0xc4, 0x44, 0x08, 0xff, 0xf6, 0x46, 0x61, 0x6b, 0x1e, 0x2d, 0x5a, 0xb0, 0xa6, - 0x30, 0xf8, 0x14, 0x94, 0x72, 0x21, 0x41, 0xf9, 0x79, 0x14, 0x50, 0xdf, 0xd5, 0x62, 0x4b, 0x16, - 0x3e, 0x36, 0x28, 0x1c, 0x80, 0xbb, 0x43, 0x36, 0x96, 0x48, 0xce, 0xe2, 0x98, 0x72, 0x3c, 0x60, - 0x21, 0xf5, 0xe7, 0x37, 0x0a, 0x5b, 0x4b, 0x3b, 0x9f, 0x54, 0x26, 0xb8, 0x6c, 0x65, 0xf4, 0xe2, - 0x95, 0x03, 0xbb, 0xef, 0x50, 0xfb, 0x35, 0x0b, 0x29, 0x5a, 0x8b, 0x26, 0xc1, 0xf0, 0x03, 0xe0, - 0x8d, 0xce, 0x15, 0xd3, 0x40, 0x32, 0xee, 0x7f, 0xac, 0x0f, 0x56, 0x1a, 0x1e, 0xcc, 0xc0, 0xf0, - 0x31, 0x58, 0xa2, 0x09, 0x39, 0x8d, 0x29, 0x96, 0x9c, 0x04, 0x51, 0xd2, 0xf3, 0x17, 0x37, 0x0a, - 0x5b, 0x2e, 0x2a, 0x1a, 0xb4, 0x63, 0x40, 0xe5, 0x44, 0x24, 0x08, 0x14, 0x61, 0xcc, 0x7a, 0xb8, - 0x1b, 0xc5, 0xd4, 0x2f, 0x6a, 0xc2, 0xa2, 0x81, 0x5b, 0xac, 0xf7, 0x32, 0x8a, 0xa9, 0x72, 0xcc, - 0x71, 0x39, 0xc6, 0x07, 0x44, 0xfa, 0xbe, 0xd9, 0x7a, 0x24, 0xa9, 0x61, 0x48, 0xc0, 0xca, 0x98, - 0x2c, 0x4d, 0x02, 0x16, 0xaa, 0xfd, 0xef, 0x6b, 0x83, 0x6c, 0x4f, 0x33, 0xc8, 0x6e, 0xce, 0xd6, - 0xb0, 0x8a, 0x68, 0x99, 0x5c, 0x87, 0x60, 0x1d, 0x3c, 0xb4, 0xb7, 0xa3, 0xc9, 0x39, 0xbb, 0xc4, - 0x63, 0xfb, 0xe5, 0x0f, 0xb6, 0xa5, 0xaf, 0x7b, 0xdf, 0x88, 0x35, 0x94, 0xd4, 0x90, 0x39, 0x7f, - 0xbd, 0x2f, 0x41, 0x39, 0x8c, 0xc4, 0x18, 0x8d, 0x89, 0x3a, 0xca, 0x15, 0x91, 0xff, 0x42, 0x13, - 0xdc, 0xb5, 0x12, 0x9a, 0xa1, 0x65, 0xd7, 0x5b, 0xac, 0x07, 0x5f, 0x81, 0xa5, 0x90, 0x76, 0x49, - 0x16, 0x4b, 0x6c, 0x72, 0x94, 0xbf, 0xa4, 0x5d, 0x77, 0x63, 0xe2, 0x05, 0x8f, 0x54, 0x48, 0x9a, - 0x1b, 0xa2, 0xa2, 0xd5, 0xb3, 0x31, 0x3f, 0x00, 0x77, 0x59, 0x26, 0x4f, 0x59, 0x96, 0x84, 0xea, - 0xad, 0xba, 0xdd, 0x28, 0xc0, 0x29, 0x8b, 0xa3, 0xe0, 0xd2, 0x5f, 0xd6, 0x8c, 0x53, 0x7d, 0xa8, - 0x6d, 0xd5, 0x3b, 0x46, 0xfb, 0x48, 0x2b, 0xa3, 0x35, 0x36, 0x09, 0x86, 0xfb, 0x60, 0xc9, 0x9c, - 0x17, 0x0b, 0x96, 0xf1, 0x80, 0x0a, 0xff, 0xce, 0xc6, 0xdc, 0xd6, 0xc2, 0xce, 0xa3, 0x89, 0xbb, - 0x98, 0x1d, 0x8e, 0xb5, 0x24, 0x2a, 0x06, 0x63, 0x5f, 0x02, 0xd6, 0x81, 0x67, 0x1f, 0x81, 0x64, - 0x92, 0xe1, 0x81, 0x8c, 0x85, 0xff, 0x5f, 0xfa, 0xc4, 0xe5, 0x1b, 0xa9, 0x60, 0x8f, 0xb1, 0xf8, - 0x0d, 0x89, 0x33, 0x8a, 0xac, 0x5b, 0xee, 0x66, 0x92, 0xbd, 0x96, 0xb1, 0x80, 0x8f, 0xc0, 0xa2, - 0xe4, 0x99, 0x90, 0x38, 0x64, 0x03, 0x12, 0x25, 0x7e, 0x59, 0x3b, 0xd5, 0x82, 0xc6, 0xea, 0x1a, - 0x82, 0x1f, 0x81, 0xd5, 0x71, 0x11, 0x4c, 0xe2, 0x88, 0x08, 0x2a, 0xfc, 0xca, 0xc6, 0xdc, 0xd6, - 0x3c, 0x82, 0x63, 0xa2, 0xbb, 0x66, 0x05, 0x7e, 0x03, 0x4a, 0x01, 0xc1, 0x01, 0xe5, 0x32, 0xea, - 0x46, 0x01, 0x91, 0x54, 0xf8, 0x5f, 0xe8, 0x5b, 0x56, 0xa7, 0xd9, 0xb2, 0x36, 0xd2, 0xa9, 0x13, - 0x49, 0xd0, 0x52, 0x40, 0xc6, 0x20, 0x01, 0x3f, 0x07, 0xf7, 0xf2, 0x67, 0xb7, 0x9e, 0x86, 0xe9, - 0x85, 0x4a, 0xbe, 0x58, 0x32, 0xff, 0xa1, 0x3e, 0xd0, 0x1d, 0x2b, 0x60, 0xdd, 0xac, 0xa1, 0x97, - 0x3b, 0x0c, 0xee, 0x83, 0x47, 0xb9, 0xea, 0x79, 0xc4, 0x65, 0x46, 0xe2, 0x09, 0x14, 0x1b, 0x9a, - 0xe2, 0x81, 0x15, 0x7c, 0x63, 0xe4, 0xae, 0x33, 0x35, 0xc1, 0x66, 0xce, 0x74, 0xbd, 0x1a, 0x8d, - 0x51, 0x3d, 0xd2, 0x54, 0xeb, 0x56, 0xb2, 0x3e, 0x12, 0x44, 0x59, 0x3c, 0xe2, 0x7a, 0x0c, 0x96, - 0x38, 0x63, 0x12, 0x27, 0x64, 0x40, 0x45, 0x4a, 0x02, 0xea, 0x6f, 0x9a, 0x04, 0xa0, 0xd0, 0xc3, - 0x1c, 0x84, 0x5d, 0xb0, 0x12, 0xb3, 0x80, 0xc4, 0x91, 0xbc, 0xc4, 0xf1, 0x29, 0x16, 0x26, 0xd5, - 0xfa, 0xef, 0xe9, 0xf7, 0xfe, 0xf4, 0x27, 0xd2, 0x75, 0xcb, 0x6a, 0xb5, 0x18, 0x09, 0xf7, 0x48, - 0x4c, 0x92, 0x80, 0x72, 0x9b, 0xa8, 0xd1, 0x72, 0x4e, 0xd9, 0x3a, 0xb5, 0x10, 0xac, 0x01, 0x2f, - 0x4c, 0x04, 0xe6, 0xb4, 0xcb, 0xa9, 0xe8, 0x63, 0x55, 0x2b, 0xfd, 0xf7, 0xa7, 0x96, 0xab, 0x30, - 0x11, 0xc8, 0x68, 0x20, 0x22, 0x29, 0xfc, 0x1e, 0x2c, 0xf7, 0x77, 0x70, 0x96, 0xf6, 0x38, 0x09, - 0x69, 0x1e, 0x4c, 0x1f, 0xe8, 0xfc, 0x33, 0xd5, 0x01, 0xf6, 0x77, 0x4e, 0x8c, 0x9e, 0x0d, 0xa3, - 0x52, 0xff, 0x2a, 0xa0, 0x3c, 0x20, 0x4a, 0x4c, 0xb8, 0x06, 0x71, 0x26, 0x24, 0xe5, 0x58, 0x48, - 0x62, 0x0c, 0xe8, 0x7f, 0xa8, 0x6d, 0x77, 0xc7, 0x0a, 0xd4, 0xcc, 0xfa, 0xb1, 0x24, 0xda, 0x92, - 0x2a, 0xe1, 0x0c, 0x43, 0xfd, 0xa6, 0xee, 0x7f, 0x6b, 0xdd, 0x61, 0x32, 0xb8, 0xae, 0x5c, 0x07, - 0x8b, 0x57, 0x1c, 0xba, 0xaa, 0x1d, 0x7a, 0x72, 0xba, 0x19, 0x73, 0x59, 0x74, 0x45, 0x0b, 0xfe, - 0x1f, 0x28, 0xca, 0x3e, 0x8f, 0xba, 0xc3, 0xac, 0xb5, 0xad, 0x8d, 0xfb, 0xe1, 0x34, 0xb3, 0x74, - 0xb4, 0x92, 0xcd, 0x60, 0x8b, 0x72, 0xec, 0x0b, 0x7e, 0x07, 0xbc, 0xdc, 0x8f, 0xad, 0x5b, 0x08, - 0x7f, 0xe7, 0xe7, 0x45, 0x9b, 0x75, 0xec, 0xbc, 0x70, 0xa3, 0x92, 0xb8, 0x0a, 0x40, 0x04, 0xee, - 0xda, 0x1c, 0x93, 0x72, 0x36, 0xa0, 0xb2, 0x4f, 0x33, 0x81, 0x07, 0x94, 0xf7, 0xa8, 0xff, 0x7c, - 0x6a, 0xaa, 0x59, 0x33, 0xaa, 0x47, 0x43, 0xcd, 0xd7, 0x4a, 0x11, 0x7e, 0x0f, 0xde, 0x3d, 0xa7, - 0x3c, 0xea, 0x5e, 0x8e, 0x27, 0x08, 0x4c, 0x24, 0x0e, 0xe2, 0x88, 0x26, 0xd2, 0xff, 0x74, 0x2a, - 0xf1, 0x3d, 0xa3, 0x3f, 0x66, 0xe5, 0x5d, 0x59, 0xd3, 0xca, 0x70, 0x07, 0xcc, 0x06, 0xc4, 0xff, - 0x4c, 0x53, 0x6c, 0x4e, 0x4d, 0x36, 0xbb, 0x68, 0x36, 0x20, 0xf0, 0x14, 0xac, 0xd0, 0x0b, 0x49, - 0x13, 0xa1, 0x82, 0x38, 0xe5, 0xec, 0x3c, 0x0a, 0x29, 0x17, 0xfe, 0xe7, 0xda, 0x86, 0x53, 0x0b, - 0x66, 0x23, 0x57, 0x3d, 0xb2, 0x9a, 0x08, 0xd2, 0xeb, 0x90, 0x80, 0x21, 0x58, 0x09, 0x23, 0x11, - 0xb0, 0x73, 0xca, 0x2f, 0x87, 0xcd, 0x83, 0xf0, 0xbf, 0xd4, 0x7b, 0x3c, 0xaf, 0x98, 0xe6, 0xb5, - 0x32, 0xde, 0xbc, 0x56, 0xd2, 0xb3, 0x9e, 0x02, 0x44, 0x45, 0x35, 0xaf, 0x95, 0xf3, 0xed, 0x4a, - 0x8b, 0x9c, 0xd2, 0x38, 0xef, 0x30, 0x10, 0x1c, 0xf2, 0xe5, 0x90, 0x28, 0xff, 0xae, 0x00, 0xd6, - 0x26, 0x56, 0x23, 0x78, 0x08, 0x1c, 0xdd, 0x16, 0x15, 0x74, 0x14, 0x7e, 0xf1, 0x2f, 0x95, 0xb4, - 0x8a, 0xee, 0x8d, 0x34, 0xcf, 0x66, 0x1d, 0x38, 0xba, 0x25, 0x5a, 0x06, 0x45, 0xd4, 0x78, 0x75, - 0x70, 0xdc, 0x41, 0xdf, 0xe2, 0xf6, 0x61, 0xeb, 0x5b, 0x6f, 0x06, 0x16, 0xc1, 0xfc, 0x6e, 0xab, - 0xd5, 0xfe, 0x1a, 0xef, 0x1e, 0x7e, 0xeb, 0x15, 0x36, 0x1d, 0x77, 0xd6, 0x9b, 0x7d, 0xb6, 0xfa, - 0xe6, 0x00, 0x75, 0x4e, 0x76, 0x5b, 0xf8, 0xb8, 0x81, 0xde, 0x1c, 0xd4, 0x1a, 0x5a, 0xb8, 0xdc, - 0x03, 0xa5, 0x6b, 0x09, 0x1f, 0x42, 0x30, 0x97, 0xd2, 0x81, 0x3e, 0xe7, 0xfc, 0xfe, 0x0c, 0x52, - 0x1f, 0xf0, 0x43, 0xb0, 0x2c, 0xd2, 0xa8, 0xdb, 0xa5, 0xf8, 0x34, 0x4b, 0xc2, 0x98, 0xe2, 0x8c, - 0xc7, 0xfe, 0xac, 0x95, 0x28, 0x99, 0xa5, 0x3d, 0xbd, 0x72, 0xc2, 0xe3, 0x3d, 0x08, 0xbc, 0x71, - 0xc7, 0x0a, 0x89, 0x24, 0xe5, 0x5f, 0x83, 0xc5, 0xf1, 0x08, 0x82, 0xef, 0x83, 0x25, 0x95, 0xda, - 0x70, 0x1c, 0x0d, 0x22, 0xa9, 0xe9, 0x0a, 0xa6, 0x0f, 0x55, 0x68, 0x4b, 0x81, 0x27, 0x3c, 0x86, - 0xaf, 0x00, 0x1c, 0x93, 0xca, 0xdb, 0xed, 0xd9, 0x69, 0xe9, 0xd0, 0x1b, 0x92, 0xd8, 0x36, 0xbb, - 0xfc, 0xfb, 0x02, 0x28, 0x5d, 0x8b, 0x35, 0xd8, 0x01, 0xee, 0x30, 0x5c, 0x0b, 0x9a, 0xf2, 0xc5, - 0x2f, 0x0c, 0xd7, 0xca, 0x30, 0x6e, 0x87, 0x4c, 0x70, 0x15, 0xbc, 0xd3, 0x67, 0x42, 0x0a, 0x7f, - 0x56, 0x57, 0x1f, 0xf3, 0x51, 0xae, 0x02, 0x77, 0xb8, 0xef, 0x7b, 0xa0, 0x98, 0xe7, 0x3e, 0x9d, - 0xfe, 0xf5, 0xe6, 0x2e, 0x5a, 0xb4, 0xa0, 0xae, 0x17, 0xe5, 0xbf, 0x14, 0xc0, 0x6c, 0x6d, 0x17, - 0xfa, 0xe0, 0x36, 0x09, 0x43, 0xd5, 0xd8, 0x5a, 0xfb, 0xe4, 0x9f, 0xb0, 0x0d, 0x16, 0x65, 0x2c, - 0x46, 0x09, 0x67, 0xf6, 0x4a, 0x1a, 0x9b, 0x38, 0x37, 0xe8, 0x00, 0xed, 0xb4, 0x8e, 0x87, 0xa7, - 0x5e, 0x90, 0xb1, 0x18, 0x1e, 0x6b, 0x0f, 0x94, 0x38, 0xfd, 0x55, 0x46, 0xc5, 0xc8, 0xd0, 0x73, - 0x53, 0xeb, 0x8e, 0xd5, 0xc8, 0xa7, 0x99, 0x87, 0x60, 0x41, 0xef, 0x1f, 0x62, 0x11, 0x85, 0x54, - 0x0f, 0x6e, 0x2e, 0x02, 0x06, 0x3a, 0x8e, 0x42, 0x5a, 0xfe, 0xdb, 0x2d, 0xb0, 0x7c, 0x23, 0x5e, - 0x21, 0x04, 0x8e, 0x2e, 0x00, 0xe6, 0x8a, 0xfa, 0x37, 0xfc, 0x4d, 0x01, 0xac, 0x9a, 0xa6, 0x94, - 0x5e, 0x48, 0xd5, 0x60, 0xf5, 0x7f, 0xd0, 0x83, 0x9e, 0xbd, 0xe8, 0x37, 0xbf, 0x38, 0x2b, 0x54, - 0x74, 0x07, 0xab, 0x60, 0x9e, 0x90, 0x78, 0x37, 0x93, 0x7d, 0xc6, 0xa3, 0x1f, 0xf4, 0x3d, 0xf4, - 0xa8, 0x68, 0xc5, 0xf6, 0x67, 0xd0, 0x32, 0xb5, 0x92, 0x4a, 0xe8, 0x07, 0xb5, 0x38, 0xf1, 0x34, - 0x3d, 0x9e, 0x06, 0xd6, 0x44, 0xff, 0xd6, 0xd3, 0xbc, 0xe2, 0x69, 0xf0, 0x4f, 0x4f, 0xa3, 0x16, - 0xcb, 0x7f, 0x9f, 0x05, 0x4f, 0x7e, 0xde, 0x6d, 0x94, 0x03, 0xe5, 0x03, 0x81, 0x75, 0x20, 0xfb, - 0xa9, 0x8c, 0xae, 0x67, 0x66, 0x65, 0xcf, 0x22, 0xd2, 0xbf, 0xd5, 0xfb, 0xa5, 0x44, 0xf6, 0x71, - 0xca, 0x69, 0x37, 0xba, 0xd0, 0x97, 0x9b, 0x47, 0x40, 0x41, 0x47, 0x1a, 0x81, 0xf7, 0xc1, 0x7c, - 0x97, 0x44, 0x31, 0x66, 0x29, 0x4d, 0xec, 0xf3, 0xba, 0x0a, 0x68, 0xa7, 0x34, 0x51, 0xb3, 0x94, - 0x2a, 0xe6, 0x99, 0xc0, 0x2c, 0xc1, 0x94, 0x73, 0xc6, 0xf5, 0x40, 0x3e, 0x8f, 0x8a, 0x06, 0x6e, - 0x27, 0x0d, 0x05, 0xc2, 0xcf, 0x80, 0x1f, 0x25, 0x41, 0x9c, 0x85, 0x14, 0xf7, 0x29, 0x51, 0xd9, - 0x19, 0x47, 0x09, 0x0e, 0xfa, 0x34, 0x38, 0xf3, 0x6f, 0xe9, 0xa8, 0x59, 0xb3, 0xeb, 0xfb, 0x66, - 0xf9, 0x20, 0xa9, 0xa9, 0x45, 0xf8, 0x3f, 0xe0, 0xdd, 0x5c, 0x41, 0x32, 0x9c, 0xa5, 0x42, 0x72, - 0x4a, 0x06, 0x6a, 0x37, 0x12, 0xc7, 0xec, 0xad, 0x7f, 0x5b, 0x2b, 0xfb, 0x56, 0xa6, 0xc3, 0x4e, - 0xac, 0x44, 0x3b, 0xd9, 0x55, 0xeb, 0xf0, 0x7f, 0xc1, 0x83, 0x31, 0xfd, 0x90, 0xbd, 0x4d, 0x46, - 0x0c, 0x21, 0x4d, 0x2e, 0x7d, 0x57, 0x13, 0xdc, 0x1b, 0x12, 0xd4, 0x87, 0x22, 0xed, 0xa4, 0x4e, - 0x93, 0xcb, 0xf2, 0x6f, 0x0b, 0x3f, 0x65, 0xf9, 0xf1, 0x97, 0xfb, 0x85, 0x96, 0xbf, 0x62, 0xd8, - 0xb9, 0xe9, 0x86, 0x75, 0x26, 0x18, 0x76, 0x0f, 0x00, 0x37, 0xaf, 0x9e, 0x9b, 0x4d, 0xb0, 0x36, - 0x71, 0xb4, 0x86, 0x25, 0xb0, 0x70, 0x72, 0x78, 0x7c, 0xd4, 0xa8, 0x1d, 0xbc, 0x3c, 0x68, 0xd4, - 0xbd, 0x19, 0x78, 0x1b, 0xcc, 0xb5, 0x5f, 0xbe, 0xf4, 0x0a, 0x70, 0x01, 0xdc, 0xae, 0x37, 0x5e, - 0xee, 0x9e, 0xb4, 0x3a, 0xde, 0x2c, 0x04, 0xe0, 0xd6, 0x71, 0x07, 0x1d, 0xd4, 0x3a, 0xde, 0xdc, - 0xe6, 0x13, 0x00, 0xd4, 0x3d, 0x6d, 0x25, 0x73, 0x81, 0x73, 0xd8, 0x3e, 0x6c, 0x78, 0x33, 0x70, - 0x09, 0x80, 0xd7, 0x27, 0xba, 0xa8, 0x74, 0x5a, 0xc7, 0x5e, 0x61, 0xf3, 0x29, 0x58, 0xbe, 0x31, - 0xbd, 0x2a, 0xf1, 0x4e, 0xe3, 0x9b, 0x8e, 0x37, 0xa3, 0x7e, 0x35, 0x8f, 0xdb, 0x87, 0x5e, 0x61, - 0x73, 0x07, 0x94, 0xae, 0xb5, 0x99, 0x10, 0x82, 0xa5, 0x7a, 0x1b, 0x1f, 0xb6, 0x3b, 0xf8, 0xe4, - 0xe8, 0x15, 0xda, 0xad, 0x2b, 0xfe, 0x05, 0x70, 0x3b, 0xff, 0x28, 0x34, 0x1d, 0xb7, 0xe0, 0xcd, - 0x36, 0x55, 0x31, 0x9b, 0x6b, 0x3a, 0xee, 0x9c, 0xe7, 0x34, 0x1d, 0xf7, 0x23, 0x6f, 0xbb, 0xe9, - 0xb8, 0xf7, 0xbc, 0x72, 0xd3, 0x71, 0xd7, 0xbd, 0x87, 0x4d, 0xc7, 0x05, 0xde, 0x42, 0xd3, 0x71, - 0x17, 0xbc, 0xc5, 0xa6, 0xe3, 0x96, 0x3c, 0xaf, 0xe9, 0xb8, 0x9e, 0xb7, 0xdc, 0x74, 0x5c, 0xe8, - 0xad, 0x34, 0x1d, 0x77, 0xc5, 0x5b, 0x6d, 0x3a, 0xee, 0xaa, 0xb7, 0xd6, 0x74, 0xdc, 0x35, 0xef, - 0x4e, 0xd3, 0x71, 0xef, 0x7a, 0x7e, 0xd3, 0x71, 0x1f, 0x78, 0xeb, 0x4d, 0xc7, 0xfd, 0xc4, 0xfb, - 0xb4, 0xe9, 0xb8, 0x8f, 0xbd, 0x27, 0x4d, 0xc7, 0x7d, 0xe2, 0x3d, 0x6d, 0x3a, 0xee, 0x53, 0x6f, - 0x0b, 0xc1, 0x41, 0x74, 0x41, 0xb9, 0x71, 0x4f, 0x3d, 0xaf, 0x50, 0x8e, 0x56, 0x0c, 0xc6, 0xa9, - 0x1e, 0x35, 0x2c, 0xb8, 0x96, 0xcf, 0xd2, 0xa6, 0xdf, 0x36, 0x1a, 0x02, 0x0d, 0x47, 0x6c, 0xa3, - 0xa3, 0xff, 0xac, 0x32, 0x8a, 0x02, 0xdd, 0x19, 0x17, 0xc5, 0x43, 0x07, 0x40, 0x8f, 0x55, 0xfa, - 0x0c, 0x08, 0x57, 0x6e, 0x2a, 0x69, 0x4c, 0x07, 0x54, 0xea, 0xae, 0x45, 0xe8, 0x0e, 0x49, 0x75, - 0x04, 0x49, 0x24, 0x2f, 0xd1, 0x82, 0x4a, 0x44, 0x76, 0x3b, 0xb4, 0xcc, 0xc3, 0xd1, 0xd8, 0x10, - 0xd2, 0x98, 0x5c, 0xa2, 0xa2, 0xd9, 0xd2, 0x96, 0x0c, 0x94, 0xff, 0x65, 0x60, 0xda, 0x3c, 0x9d, - 0xa2, 0xaf, 0x9c, 0x15, 0x2d, 0x8a, 0x50, 0xe0, 0x2c, 0x14, 0x58, 0x45, 0x3c, 0x5a, 0x16, 0x37, - 0x08, 0xef, 0x58, 0x06, 0xb5, 0x22, 0xd9, 0x19, 0x4d, 0xf0, 0x80, 0x65, 0x89, 0x44, 0x50, 0x2b, - 0x0a, 0x8a, 0xcf, 0x5e, 0x08, 0x2c, 0x08, 0xfe, 0xff, 0xb7, 0x12, 0x95, 0x25, 0xe5, 0x83, 0x7c, - 0x32, 0x0b, 0xb9, 0x9a, 0x5b, 0xf3, 0x3f, 0x26, 0xd1, 0x6a, 0x6e, 0x13, 0x6b, 0xc1, 0x53, 0x22, - 0x83, 0x3e, 0xf2, 0xc7, 0xbf, 0xf0, 0x80, 0x5c, 0x60, 0x9a, 0x48, 0x1e, 0x51, 0x81, 0xd6, 0x6e, - 0xac, 0xa8, 0x12, 0xb5, 0xf9, 0xa7, 0x02, 0x58, 0x1c, 0x1f, 0xd0, 0xff, 0x93, 0xe5, 0xf2, 0x08, - 0xac, 0x8a, 0xec, 0x54, 0x04, 0x3c, 0x3a, 0xa5, 0x21, 0xe6, 0x34, 0xff, 0x33, 0x61, 0x6e, 0x63, - 0x6e, 0x6b, 0x69, 0xe7, 0xc1, 0xc4, 0x82, 0x80, 0xac, 0x14, 0x5a, 0x19, 0xa9, 0xe6, 0x98, 0xd8, - 0xfc, 0x0a, 0x2c, 0x8c, 0xf5, 0x62, 0x2a, 0x17, 0x0b, 0x1a, 0x70, 0x6a, 0x87, 0x23, 0x73, 0x1f, - 0x60, 0x20, 0x3d, 0x0f, 0xdd, 0x07, 0xf3, 0x6a, 0x52, 0xd4, 0x73, 0xab, 0xed, 0x36, 0xdc, 0x30, - 0x11, 0x7a, 0x64, 0x7d, 0xb6, 0x01, 0xdc, 0x9c, 0x19, 0xae, 0x02, 0x2f, 0x6f, 0xfa, 0xf2, 0x56, - 0xd1, 0x9b, 0xd9, 0xdb, 0xfa, 0xe3, 0x8f, 0xeb, 0x85, 0x3f, 0xff, 0xb8, 0x5e, 0xf8, 0xeb, 0x8f, - 0xeb, 0x85, 0xef, 0xca, 0xe6, 0xbc, 0xe6, 0xff, 0xdb, 0xea, 0x95, 0x7f, 0x84, 0x4f, 0x6f, 0xe9, - 0xc2, 0xff, 0xfc, 0x1f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xd3, 0x2a, 0x5a, 0x58, 0x9a, 0x16, 0x00, - 0x00, + // 2526 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x58, 0xdb, 0x52, 0x1b, 0xc9, + 0xf9, 0x47, 0x30, 0x6b, 0x0f, 0x0d, 0x42, 0x43, 0x03, 0xf6, 0x58, 0x5e, 0x63, 0xcc, 0xae, 0x6d, + 0xd6, 0xff, 0xfd, 0x4b, 0x0b, 0xde, 0x83, 0x77, 0x37, 0x95, 0x04, 0x10, 0x36, 0x68, 0x65, 0x44, + 0x5a, 0xc2, 0x7b, 0xba, 0xe8, 0x6a, 0x66, 0x5a, 0xd2, 0x84, 0xd1, 0xf4, 0xa4, 0xbb, 0x07, 0xc3, + 0x56, 0xe5, 0x26, 0x97, 0xc9, 0x23, 0xe4, 0x19, 0x92, 0xe7, 0x48, 0x55, 0x6e, 0x72, 0x91, 0x07, + 0x48, 0x6d, 0x2e, 0xf2, 0x08, 0xb9, 0x4d, 0xf5, 0x61, 0x24, 0x01, 0xca, 0x6a, 0x9d, 0x4a, 0xe5, + 0x6e, 0xe6, 0xd7, 0xdf, 0xf7, 0xeb, 0xee, 0x6f, 0xbe, 0xe3, 0x80, 0x72, 0x9f, 0x8a, 0x5e, 0xf5, + 0x6c, 0x93, 0xc4, 0x69, 0x8f, 0x6c, 0x56, 0x03, 0x96, 0x74, 0xa2, 0x6e, 0x25, 0xe5, 0x4c, 0x32, + 0xb8, 0x14, 0x09, 0x19, 0xb1, 0x8a, 0x92, 0xa8, 0xe4, 0x12, 0xe5, 0xd5, 0x2e, 0x63, 0xdd, 0x98, + 0x56, 0xb5, 0xc8, 0x49, 0xd6, 0xa9, 0x86, 0x19, 0x27, 0x32, 0x62, 0x89, 0x51, 0xba, 0xbe, 0xfe, + 0x9a, 0x93, 0x34, 0xa5, 0x5c, 0xd8, 0xf5, 0x3b, 0x97, 0x37, 0x4c, 0x39, 0x3b, 0xbf, 0xb0, 0x4b, + 0x4f, 0x12, 0x2a, 0x5f, 0x33, 0x7e, 0x1a, 0x25, 0xdd, 0x5c, 0xe0, 0x69, 0x35, 0xa4, 0x42, 0x46, + 0x89, 0xde, 0x01, 0xf3, 0x2c, 0xa6, 0x56, 0xf6, 0xc3, 0xd3, 0x67, 0xa2, 0x12, 0xb1, 0x2a, 0x49, + 0xa3, 0x3e, 0x09, 0x7a, 0x51, 0x42, 0xf9, 0x45, 0x35, 0x3d, 0xed, 0x2a, 0x40, 0x54, 0xfb, 0x54, + 0x92, 0xea, 0xd9, 0x66, 0xb5, 0x4b, 0x13, 0xca, 0x89, 0xa4, 0xa1, 0xd1, 0x5a, 0xff, 0xfb, 0x7b, + 0x00, 0xbc, 0xa4, 0xa2, 0xb7, 0xab, 0xaf, 0x09, 0x9f, 0x80, 0x45, 0xbd, 0x3f, 0x8e, 0x23, 0x21, + 0x69, 0x82, 0x53, 0xc6, 0xa5, 0xef, 0xac, 0x15, 0x36, 0xde, 0x42, 0x25, 0xbd, 0xd0, 0xd0, 0xf8, + 0x11, 0xe3, 0x12, 0x3e, 0x02, 0x06, 0xc2, 0x3d, 0x29, 0x53, 0x23, 0xf9, 0x96, 0x96, 0x2c, 0x6a, + 0x78, 0x5f, 0xca, 0x54, 0xcb, 0xed, 0x80, 0x52, 0xc0, 0x92, 0x84, 0x06, 0x12, 0xcb, 0xa8, 0x4f, + 0x59, 0x26, 0xfd, 0x1b, 0x6b, 0x85, 0x8d, 0xb9, 0xad, 0x3b, 0x15, 0x63, 0x99, 0x4a, 0x6e, 0x99, + 0x4a, 0xcd, 0x5a, 0x0e, 0x2d, 0x58, 0x8d, 0xb6, 0x51, 0x80, 0x5f, 0x82, 0xb2, 0x16, 0x0a, 0x58, + 0x8c, 0x43, 0x2a, 0x69, 0xa0, 0x6f, 0x9f, 0xd3, 0x3d, 0x99, 0x44, 0xe7, 0xe7, 0xca, 0xb5, 0x5c, + 0x37, 0x27, 0x66, 0xa0, 0x28, 0x83, 0x14, 0x9f, 0x52, 0x9a, 0x92, 0x38, 0x3a, 0xa3, 0xfe, 0xdb, + 0x9a, 0xab, 0x5e, 0x31, 0x5f, 0x7a, 0x68, 0xff, 0xfc, 0x7b, 0x3f, 0xad, 0xec, 0x9a, 0xa3, 0x45, + 0x2c, 0x39, 0x62, 0x2c, 0x6e, 0x51, 0x29, 0xa3, 0xa4, 0x2b, 0x2a, 0xed, 0xdd, 0xa3, 0xe1, 0x73, + 0x90, 0x7e, 0x91, 0x33, 0xa2, 0x79, 0x39, 0xf2, 0x06, 0xdf, 0x01, 0xc5, 0x28, 0xe9, 0x72, 0x2a, + 0x04, 0x0e, 0x62, 0x22, 0x84, 0x7f, 0x73, 0xad, 0xb0, 0x31, 0x8b, 0xe6, 0x2d, 0xb8, 0xab, 0x30, + 0xf8, 0x18, 0x94, 0x72, 0x21, 0x41, 0xf9, 0x59, 0x14, 0x50, 0xdf, 0xd5, 0x62, 0x0b, 0x16, 0x6e, + 0x19, 0x14, 0xf6, 0xc1, 0xed, 0x01, 0x1b, 0x4b, 0x24, 0x67, 0x71, 0x4c, 0x39, 0xee, 0xb3, 0x90, + 0xfa, 0xb3, 0x6b, 0x85, 0x8d, 0x85, 0xad, 0x8f, 0x2a, 0x63, 0x5c, 0xb6, 0x32, 0xfc, 0xe2, 0x95, + 0x03, 0xbb, 0xef, 0x40, 0xfb, 0x25, 0x0b, 0x29, 0x5a, 0x89, 0xc6, 0xc1, 0xf0, 0x3d, 0xe0, 0x0d, + 0xcf, 0x15, 0xd3, 0x40, 0x32, 0xee, 0x7f, 0xa8, 0x0f, 0x56, 0x1a, 0x1c, 0xcc, 0xc0, 0xf0, 0x21, + 0x58, 0xa0, 0x09, 0x39, 0x89, 0x29, 0x96, 0x9c, 0x04, 0x51, 0xd2, 0xf5, 0xe7, 0xd7, 0x0a, 0x1b, + 0x2e, 0x2a, 0x1a, 0xb4, 0x6d, 0x40, 0xe5, 0x44, 0x24, 0x08, 0x14, 0x61, 0xcc, 0xba, 0xb8, 0x13, + 0xc5, 0xd4, 0x2f, 0x6a, 0xc2, 0xa2, 0x81, 0x1b, 0xac, 0xfb, 0x3c, 0x8a, 0xa9, 0x72, 0xcc, 0x51, + 0x39, 0xc6, 0xfb, 0x44, 0xfa, 0xbe, 0xd9, 0x7a, 0x28, 0xa9, 0x61, 0x48, 0xc0, 0xd2, 0x88, 0x2c, + 0x4d, 0x02, 0x16, 0xaa, 0xfd, 0xef, 0x6a, 0x83, 0x6c, 0x4e, 0x32, 0xc8, 0x76, 0xce, 0xb6, 0x67, + 0x15, 0xd1, 0x22, 0xb9, 0x0a, 0xc1, 0x1a, 0xb8, 0x6f, 0x6f, 0x47, 0x93, 0x33, 0x76, 0x81, 0x47, + 0xf6, 0xcb, 0x3f, 0xd8, 0x86, 0xbe, 0xee, 0x5d, 0x23, 0xb6, 0xa7, 0xa4, 0x06, 0xcc, 0xf9, 0xd7, + 0xfb, 0x1c, 0x94, 0xc3, 0x48, 0x8c, 0xd0, 0x98, 0xa8, 0xa3, 0x5c, 0x11, 0xf9, 0xcf, 0x34, 0xc1, + 0x6d, 0x2b, 0xa1, 0x19, 0x1a, 0x76, 0xbd, 0xc1, 0xba, 0xf0, 0x05, 0x58, 0x08, 0x69, 0x87, 0x64, + 0xb1, 0xc4, 0x26, 0x47, 0xf9, 0x0b, 0xda, 0x75, 0xd7, 0xc6, 0x5e, 0xf0, 0x48, 0x85, 0xa4, 0xb9, + 0x21, 0x2a, 0x5a, 0x3d, 0x1b, 0xf3, 0x7d, 0x70, 0x9b, 0x65, 0xf2, 0x84, 0x65, 0x49, 0xa8, 0xbe, + 0x55, 0xa7, 0x13, 0x05, 0x38, 0x65, 0x71, 0x14, 0x5c, 0xf8, 0x8b, 0x9a, 0x71, 0xa2, 0x0f, 0x35, + 0xad, 0x7a, 0xdb, 0x68, 0x1f, 0x69, 0x65, 0xb4, 0xc2, 0xc6, 0xc1, 0x70, 0x1f, 0x2c, 0x98, 0xf3, + 0x62, 0xc1, 0x32, 0x1e, 0x50, 0xe1, 0xdf, 0x5a, 0x9b, 0xd9, 0x98, 0xdb, 0x7a, 0x30, 0x76, 0x17, + 0xb3, 0x43, 0x4b, 0x4b, 0xa2, 0x62, 0x30, 0xf2, 0x26, 0x60, 0x0d, 0x78, 0xf6, 0x23, 0x90, 0x4c, + 0x32, 0xdc, 0x97, 0xb1, 0xf0, 0xff, 0x4f, 0x9f, 0xb8, 0x7c, 0x2d, 0x15, 0xec, 0x30, 0x16, 0xbf, + 0x22, 0x71, 0x46, 0x91, 0x75, 0xcb, 0xed, 0x4c, 0xb2, 0x97, 0x32, 0x16, 0xf0, 0x01, 0x98, 0x97, + 0x3c, 0x13, 0x12, 0x87, 0xac, 0x4f, 0xa2, 0xc4, 0x2f, 0x6b, 0xa7, 0x9a, 0xd3, 0x58, 0x4d, 0x43, + 0xf0, 0x03, 0xb0, 0x3c, 0x2a, 0x82, 0x49, 0x1c, 0x11, 0x41, 0x85, 0x5f, 0x59, 0x9b, 0xd9, 0x98, + 0x45, 0x70, 0x44, 0x74, 0xdb, 0xac, 0xc0, 0xaf, 0x40, 0x29, 0x20, 0x38, 0xa0, 0x5c, 0x46, 0x9d, + 0x28, 0x20, 0x92, 0x0a, 0xff, 0x33, 0x7d, 0xcb, 0xea, 0x24, 0x5b, 0xee, 0x0e, 0x75, 0x6a, 0x44, + 0x12, 0xb4, 0x10, 0x90, 0x11, 0x48, 0xc0, 0xdf, 0x14, 0xc0, 0xcf, 0xcc, 0x0d, 0x42, 0x2c, 0xd2, + 0xa8, 0xd3, 0xa1, 0xb8, 0x9f, 0xc5, 0x32, 0x4a, 0x63, 0x8a, 0xa3, 0x24, 0xa4, 0x29, 0x4d, 0x42, + 0x9a, 0x48, 0x7c, 0xf9, 0xc0, 0x99, 0xec, 0xd1, 0x44, 0x2a, 0x8a, 0x88, 0x25, 0xfe, 0x4f, 0xb4, + 0x67, 0x7d, 0x6a, 0x69, 0x5a, 0x9a, 0xe5, 0xa5, 0x25, 0x39, 0x18, 0x72, 0xb4, 0x47, 0xee, 0x75, + 0x89, 0x00, 0x7e, 0x0a, 0xee, 0xe4, 0xbe, 0x67, 0xdd, 0x1d, 0xd3, 0x73, 0x55, 0x01, 0xb0, 0x64, + 0xfe, 0x7d, 0x6d, 0x95, 0x5b, 0x56, 0xc0, 0xfa, 0xfa, 0x9e, 0x5e, 0x6e, 0x33, 0xb8, 0x0f, 0x1e, + 0xe4, 0xaa, 0x67, 0x11, 0x97, 0x19, 0x89, 0xc7, 0x50, 0xac, 0x69, 0x8a, 0x7b, 0x56, 0xf0, 0x95, + 0x91, 0xbb, 0xca, 0x54, 0x07, 0xeb, 0x39, 0xd3, 0xd5, 0x92, 0x38, 0x42, 0xf5, 0x40, 0x53, 0xad, + 0x5a, 0xc9, 0xda, 0x50, 0x10, 0x65, 0xf1, 0x90, 0xeb, 0x21, 0x58, 0xe0, 0x8c, 0x49, 0x9c, 0x90, + 0x3e, 0x15, 0x29, 0x09, 0xa8, 0xbf, 0x6e, 0xb2, 0x90, 0x42, 0x0f, 0x73, 0x10, 0x76, 0xc0, 0x52, + 0xcc, 0x02, 0x12, 0x47, 0xf2, 0x02, 0xc7, 0x27, 0x58, 0x98, 0x7c, 0xef, 0xbf, 0xa3, 0x9d, 0xee, + 0xe3, 0x1f, 0xa8, 0x19, 0x0d, 0xab, 0xd5, 0x60, 0x24, 0xdc, 0x21, 0x31, 0x49, 0x02, 0xca, 0x6d, + 0xb5, 0x40, 0x8b, 0x39, 0x65, 0xe3, 0xc4, 0x42, 0x70, 0x17, 0x78, 0x61, 0x22, 0x30, 0xa7, 0x1d, + 0x4e, 0x45, 0x0f, 0xab, 0x82, 0xed, 0xbf, 0x3b, 0xb1, 0x66, 0x86, 0x89, 0x40, 0x46, 0x03, 0x11, + 0x49, 0xe1, 0xb7, 0x60, 0xb1, 0xb7, 0x85, 0xb3, 0xb4, 0xcb, 0x49, 0x48, 0xf3, 0x88, 0x7e, 0x4f, + 0x27, 0xc1, 0x89, 0x5e, 0xb8, 0xbf, 0x75, 0x6c, 0xf4, 0x6c, 0x2c, 0x97, 0x7a, 0x97, 0x01, 0xe5, + 0x01, 0x51, 0x62, 0x72, 0x46, 0x10, 0x67, 0x42, 0x52, 0x8e, 0x85, 0x24, 0xc6, 0x80, 0xfe, 0xfb, + 0xda, 0x76, 0xb7, 0xac, 0xc0, 0xae, 0x59, 0x6f, 0x49, 0xa2, 0x2d, 0xa9, 0xb2, 0xde, 0x20, 0xdf, + 0x5c, 0xd7, 0xfd, 0x7f, 0xad, 0x3b, 0xc8, 0x48, 0x57, 0x95, 0x6b, 0x60, 0xfe, 0x52, 0x54, 0x55, + 0x75, 0x54, 0x8d, 0xcf, 0x79, 0x23, 0x71, 0x83, 0x2e, 0x69, 0xc1, 0x5f, 0x80, 0xa2, 0xec, 0xf1, + 0xa8, 0x33, 0x48, 0x9d, 0x9b, 0xda, 0xb8, 0xef, 0x4f, 0x32, 0x4b, 0x5b, 0x2b, 0xd9, 0x34, 0x3a, + 0x2f, 0x47, 0xde, 0xe0, 0x37, 0xc0, 0xcb, 0xfd, 0xd8, 0xba, 0x85, 0xf0, 0xb7, 0x7e, 0x5c, 0xc8, + 0x5b, 0xc7, 0xce, 0xbb, 0x07, 0x54, 0x12, 0x97, 0x01, 0x88, 0xc0, 0x6d, 0x9b, 0xe8, 0x52, 0xce, + 0xfa, 0x54, 0xf6, 0x68, 0x26, 0x70, 0x9f, 0xf2, 0x2e, 0xf5, 0x9f, 0x4e, 0xcc, 0x77, 0x2b, 0x46, + 0xf5, 0x68, 0xa0, 0xf9, 0x52, 0x29, 0xc2, 0x6f, 0xc1, 0xdb, 0x67, 0x94, 0x47, 0x9d, 0x8b, 0xd1, + 0x2c, 0x85, 0x89, 0xc4, 0x41, 0x1c, 0xd1, 0x44, 0xfa, 0x1f, 0x4f, 0x24, 0xbe, 0x63, 0xf4, 0x47, + 0xac, 0xbc, 0x2d, 0x77, 0xb5, 0x32, 0xdc, 0x02, 0xd3, 0x01, 0xf1, 0x3f, 0xd1, 0x14, 0xeb, 0x13, + 0x33, 0xde, 0x36, 0x9a, 0x0e, 0x08, 0x3c, 0x01, 0x4b, 0xf4, 0x5c, 0xd2, 0x44, 0xa8, 0x20, 0x4e, + 0x39, 0x3b, 0x8b, 0x42, 0xca, 0x85, 0xff, 0xa9, 0xb6, 0xe1, 0xc4, 0xaa, 0xbd, 0x97, 0xab, 0x1e, + 0x59, 0x4d, 0x04, 0xe9, 0x55, 0x48, 0xc0, 0x10, 0x2c, 0x85, 0x91, 0x08, 0xd8, 0x19, 0xe5, 0x17, + 0x83, 0x0e, 0x46, 0xf8, 0x9f, 0xeb, 0x3d, 0x9e, 0x56, 0x4c, 0x07, 0x5d, 0x19, 0xed, 0xa0, 0x2b, + 0xe9, 0x69, 0x57, 0x01, 0xa2, 0xa2, 0x3a, 0xe8, 0xca, 0xd9, 0x66, 0xa5, 0x41, 0x4e, 0x68, 0x9c, + 0xb7, 0x39, 0x08, 0x0e, 0xf8, 0x72, 0x48, 0x94, 0xff, 0x50, 0x00, 0x2b, 0x63, 0x4b, 0x22, 0x3c, + 0x04, 0x8e, 0xee, 0xcd, 0x0a, 0x3a, 0x0a, 0x3f, 0xfb, 0x8f, 0xea, 0x6a, 0x45, 0x37, 0x68, 0x9a, + 0x67, 0xbd, 0x06, 0x1c, 0xdd, 0x97, 0x2d, 0x82, 0x22, 0xda, 0x7b, 0x71, 0xd0, 0x6a, 0xa3, 0xaf, + 0x71, 0xf3, 0xb0, 0xf1, 0xb5, 0x37, 0x05, 0x8b, 0x60, 0x76, 0xbb, 0xd1, 0x68, 0x7e, 0x89, 0xb7, + 0x0f, 0xbf, 0xf6, 0x0a, 0xeb, 0x8e, 0x3b, 0xed, 0x4d, 0x3f, 0x59, 0x7e, 0x75, 0x80, 0xda, 0xc7, + 0xdb, 0x0d, 0xdc, 0xda, 0x43, 0xaf, 0x0e, 0x76, 0xf7, 0xb4, 0x70, 0xf9, 0xb7, 0x05, 0x50, 0xba, + 0x52, 0x76, 0x20, 0x04, 0x33, 0x29, 0xed, 0xeb, 0x83, 0xce, 0xee, 0x4f, 0x21, 0xf5, 0x02, 0xdf, + 0x07, 0x8b, 0xb6, 0xe2, 0x9c, 0x64, 0x49, 0x18, 0x53, 0x9c, 0xf1, 0xd8, 0x9f, 0xb6, 0x12, 0x25, + 0xb3, 0xb4, 0xa3, 0x57, 0x8e, 0x79, 0x7c, 0xad, 0xae, 0xce, 0x5c, 0xab, 0xab, 0x3b, 0x10, 0x78, + 0xa3, 0xce, 0x17, 0x12, 0x49, 0xca, 0xbf, 0x06, 0xf3, 0xa3, 0x51, 0x06, 0xdf, 0x05, 0x0b, 0x2a, + 0xfd, 0xe1, 0x38, 0xea, 0x47, 0x52, 0xef, 0x58, 0x30, 0x0d, 0xb3, 0x42, 0x1b, 0x0a, 0x54, 0x9b, + 0xbd, 0x00, 0x70, 0x44, 0x2a, 0x9f, 0x0b, 0xa6, 0x27, 0xa5, 0x4c, 0x6f, 0x40, 0x62, 0xe7, 0x81, + 0xf2, 0x1f, 0x0b, 0xa0, 0x74, 0x25, 0x1e, 0x61, 0x1b, 0xb8, 0x83, 0x90, 0x2e, 0x68, 0xca, 0x67, + 0x6f, 0x18, 0xd2, 0x95, 0x41, 0x6c, 0x0f, 0x98, 0xe0, 0x32, 0x78, 0xab, 0xc7, 0x84, 0x14, 0xfe, + 0xb4, 0xae, 0x50, 0xe6, 0xa5, 0x5c, 0x05, 0xee, 0x60, 0xdf, 0x77, 0x40, 0x31, 0xcf, 0x8f, 0xba, + 0x44, 0xe8, 0xcd, 0x5d, 0x34, 0x6f, 0x41, 0x5d, 0x53, 0xca, 0x7f, 0x2d, 0x80, 0xe9, 0xdd, 0x6d, + 0xe8, 0x83, 0x9b, 0x24, 0x0c, 0x55, 0x07, 0x6e, 0xed, 0x93, 0xbf, 0xc2, 0x26, 0x98, 0x97, 0xb1, + 0x18, 0x26, 0xa5, 0xe9, 0x4b, 0xa9, 0x6e, 0xec, 0x80, 0xa3, 0x83, 0xb8, 0xdd, 0x68, 0x0d, 0x4e, + 0x3d, 0x27, 0x63, 0x31, 0x38, 0xd6, 0x0e, 0x28, 0x71, 0xfa, 0xab, 0x8c, 0x8a, 0xa1, 0xa1, 0x67, + 0x26, 0xd6, 0x26, 0xab, 0x91, 0x8f, 0x5d, 0xf7, 0xc1, 0x9c, 0xde, 0x3f, 0xc4, 0x22, 0x0a, 0xa9, + 0x9e, 0x30, 0x5d, 0x04, 0x0c, 0xd4, 0x8a, 0x42, 0x5a, 0xfe, 0xc7, 0x0d, 0xb0, 0x78, 0x2d, 0xa6, + 0x21, 0x04, 0x8e, 0x2e, 0x12, 0xe6, 0x8a, 0xfa, 0x19, 0xfe, 0xae, 0x00, 0x96, 0x4d, 0xf7, 0x4c, + 0xcf, 0xa5, 0xee, 0x74, 0xbe, 0xd3, 0x13, 0xa9, 0xbd, 0xe8, 0x57, 0x6f, 0x9c, 0x39, 0x2a, 0xba, + 0xd5, 0x56, 0x30, 0x4f, 0x48, 0xac, 0x3a, 0x1f, 0xc6, 0xa3, 0xef, 0xf4, 0x3d, 0xf4, 0x4c, 0x6b, + 0xc5, 0xf6, 0xa7, 0xd0, 0x22, 0xb5, 0x92, 0x4a, 0xe8, 0x3b, 0xb5, 0x38, 0xf6, 0x34, 0x5d, 0x9e, + 0x06, 0xd6, 0x44, 0xff, 0xd5, 0xd3, 0xbc, 0xe0, 0x69, 0xf0, 0x6f, 0x4f, 0xa3, 0x16, 0xcb, 0xff, + 0x9c, 0x06, 0x8f, 0x7e, 0xdc, 0x6d, 0x94, 0x03, 0xe5, 0x93, 0x8b, 0x75, 0x20, 0xfb, 0xaa, 0x8c, + 0xae, 0x87, 0x7b, 0x65, 0xcf, 0x22, 0xd2, 0xcf, 0xea, 0xfb, 0xa5, 0x44, 0xf6, 0x70, 0xca, 0x69, + 0x27, 0x3a, 0xb7, 0xb1, 0x0d, 0x14, 0x74, 0xa4, 0x11, 0x78, 0x17, 0xcc, 0x76, 0x48, 0x14, 0x63, + 0x96, 0xd2, 0xc4, 0x7e, 0x5e, 0x57, 0x01, 0xcd, 0x94, 0x26, 0x6a, 0xe8, 0x53, 0x05, 0x3f, 0x13, + 0x98, 0x25, 0x98, 0x72, 0xce, 0xb8, 0xfe, 0x73, 0x30, 0x8b, 0x8a, 0x06, 0x6e, 0x26, 0x7b, 0x0a, + 0x84, 0x9f, 0x00, 0x3f, 0x4a, 0x82, 0x38, 0x0b, 0x29, 0xee, 0x51, 0xa2, 0x32, 0x38, 0x8e, 0x12, + 0x1c, 0xf4, 0x68, 0x70, 0xea, 0xdf, 0xd0, 0x51, 0xb3, 0x62, 0xd7, 0xf7, 0xcd, 0xf2, 0x41, 0xb2, + 0xab, 0x16, 0xe1, 0x4f, 0xc1, 0xdb, 0xb9, 0x82, 0x64, 0x38, 0x4b, 0x85, 0xe4, 0x94, 0xf4, 0xd5, + 0x6e, 0x24, 0x8e, 0xd9, 0x6b, 0xff, 0xa6, 0x56, 0xf6, 0xad, 0x4c, 0x9b, 0x1d, 0x5b, 0x89, 0x66, + 0xb2, 0xad, 0xd6, 0xe1, 0xcf, 0xc1, 0xbd, 0x11, 0xfd, 0x90, 0xbd, 0x4e, 0x86, 0x0c, 0x21, 0x4d, + 0x2e, 0x7c, 0x57, 0x13, 0xdc, 0x19, 0x10, 0xd4, 0x06, 0x22, 0xcd, 0xa4, 0x46, 0x93, 0x8b, 0xf2, + 0xef, 0x0b, 0x3f, 0x64, 0xf9, 0xd1, 0x2f, 0xf7, 0x86, 0x96, 0xbf, 0x64, 0xd8, 0x99, 0xc9, 0x86, + 0x75, 0xc6, 0x18, 0x76, 0x07, 0x00, 0x37, 0xaf, 0xb0, 0xeb, 0x75, 0xb0, 0x32, 0xf6, 0x1f, 0x00, + 0x2c, 0x81, 0xb9, 0xe3, 0xc3, 0xd6, 0xd1, 0xde, 0xee, 0xc1, 0xf3, 0x83, 0xbd, 0x9a, 0x37, 0x05, + 0x6f, 0x82, 0x99, 0xe6, 0xf3, 0xe7, 0x5e, 0x01, 0xce, 0x81, 0x9b, 0xb5, 0xbd, 0xe7, 0xdb, 0xc7, + 0x8d, 0xb6, 0x37, 0x0d, 0x01, 0xb8, 0xd1, 0x6a, 0xa3, 0x83, 0xdd, 0xb6, 0x37, 0xb3, 0xfe, 0x08, + 0x00, 0x75, 0x4f, 0x5b, 0xed, 0x5c, 0xe0, 0x1c, 0x36, 0x0f, 0xf7, 0xbc, 0x29, 0xb8, 0x00, 0xc0, + 0xcb, 0x63, 0x5d, 0x78, 0xda, 0x8d, 0x96, 0x57, 0x58, 0x7f, 0x0c, 0x16, 0xaf, 0x8d, 0xd9, 0x4a, + 0xbc, 0xbd, 0xf7, 0x55, 0xdb, 0x9b, 0x52, 0x4f, 0xf5, 0x56, 0xf3, 0xd0, 0x2b, 0xac, 0x6f, 0x81, + 0xd2, 0x95, 0x56, 0x14, 0x42, 0xb0, 0x50, 0x6b, 0xe2, 0xc3, 0x66, 0x1b, 0x1f, 0x1f, 0xbd, 0x40, + 0xdb, 0x35, 0xc5, 0x3f, 0x07, 0x6e, 0xe6, 0x2f, 0x85, 0xba, 0xe3, 0x16, 0xbc, 0xe9, 0xba, 0x2a, + 0x78, 0x33, 0x75, 0xc7, 0x9d, 0xf1, 0x9c, 0xba, 0xe3, 0x7e, 0xe0, 0x6d, 0xd6, 0x1d, 0xf7, 0x8e, + 0x57, 0xae, 0x3b, 0xee, 0xaa, 0x77, 0xbf, 0xee, 0xb8, 0xc0, 0x9b, 0xab, 0x3b, 0xee, 0x9c, 0x37, + 0x5f, 0x77, 0xdc, 0x92, 0xe7, 0xd5, 0x1d, 0xd7, 0xf3, 0x16, 0xeb, 0x8e, 0x0b, 0xbd, 0xa5, 0xba, + 0xe3, 0x2e, 0x79, 0xcb, 0x75, 0xc7, 0x5d, 0xf6, 0x56, 0xea, 0x8e, 0xbb, 0xe2, 0xdd, 0xaa, 0x3b, + 0xee, 0x6d, 0xcf, 0xaf, 0x3b, 0xee, 0x3d, 0x6f, 0xb5, 0xee, 0xb8, 0x1f, 0x79, 0x1f, 0xd7, 0x1d, + 0xf7, 0xa1, 0xf7, 0xa8, 0xee, 0xb8, 0x8f, 0xbc, 0xc7, 0x75, 0xc7, 0x7d, 0xec, 0x6d, 0x20, 0xd8, + 0x8f, 0xce, 0x29, 0x37, 0xee, 0xa9, 0x67, 0x1a, 0xca, 0xd1, 0x92, 0xc1, 0x38, 0xd5, 0xe3, 0x88, + 0x05, 0x57, 0xf2, 0xa1, 0xdf, 0xf4, 0xe4, 0x46, 0x43, 0xa0, 0xc1, 0xbf, 0x00, 0xa3, 0xa3, 0xff, + 0xaa, 0x19, 0x45, 0x81, 0x6e, 0x8d, 0x8a, 0xe2, 0x81, 0x03, 0xa0, 0x87, 0x2a, 0x7d, 0x06, 0x84, + 0x2b, 0x37, 0x95, 0x34, 0xa6, 0x7d, 0x2a, 0x75, 0x67, 0x23, 0x74, 0x17, 0xa5, 0xba, 0x86, 0x24, + 0x92, 0x17, 0x68, 0x4e, 0x25, 0x22, 0xbb, 0x1d, 0x5a, 0xe4, 0xe1, 0x70, 0xb4, 0x08, 0x69, 0x4c, + 0x2e, 0x50, 0xd1, 0x6c, 0x69, 0x4b, 0x06, 0xca, 0xff, 0x6d, 0x98, 0x56, 0x50, 0xa7, 0xe8, 0x4b, + 0x67, 0x45, 0xf3, 0x22, 0x14, 0x38, 0x0b, 0x05, 0x56, 0x11, 0x8f, 0x16, 0xc5, 0x35, 0xc2, 0x5b, + 0x96, 0x41, 0xad, 0x48, 0x76, 0x4a, 0x13, 0xdc, 0x67, 0x59, 0x22, 0x11, 0xd4, 0x8a, 0x82, 0xe2, + 0xd3, 0x67, 0x02, 0x0b, 0x82, 0x7f, 0xf9, 0x5a, 0xa2, 0xb2, 0xa4, 0xbc, 0x9f, 0x4f, 0x6f, 0x21, + 0x57, 0xf3, 0x6a, 0xfe, 0x07, 0x15, 0x2d, 0xe7, 0x36, 0xb1, 0x16, 0x3c, 0x21, 0x32, 0xe8, 0x21, + 0x7f, 0xf4, 0x0d, 0xf7, 0xc9, 0x39, 0xa6, 0x89, 0xe4, 0x11, 0x15, 0x68, 0xe5, 0xda, 0x8a, 0x2a, + 0x51, 0xeb, 0x7f, 0x2e, 0x80, 0xf9, 0xd1, 0x3f, 0x09, 0xff, 0xcb, 0x72, 0x79, 0x04, 0x96, 0x45, + 0x76, 0x22, 0x02, 0x1e, 0x9d, 0xd0, 0x10, 0x73, 0x9a, 0xff, 0xf5, 0x98, 0x59, 0x9b, 0xd9, 0x58, + 0xd8, 0xba, 0x37, 0xb6, 0x20, 0x20, 0x2b, 0x85, 0x96, 0x86, 0xaa, 0x39, 0x26, 0xd6, 0xbf, 0x00, + 0x73, 0x23, 0xed, 0x9a, 0xca, 0xc5, 0x82, 0x06, 0x9c, 0xda, 0x01, 0xca, 0xdc, 0x07, 0x18, 0x48, + 0xcf, 0x4c, 0x77, 0xc1, 0xac, 0x9a, 0x26, 0xf5, 0x6c, 0x6b, 0xbb, 0x0d, 0x37, 0x4c, 0x84, 0x1e, + 0x6b, 0x9f, 0xac, 0x01, 0x37, 0x67, 0x86, 0xcb, 0xc0, 0xcb, 0x1b, 0xc3, 0xbc, 0x9d, 0xf4, 0xa6, + 0x76, 0x36, 0xfe, 0xf4, 0xfd, 0x6a, 0xe1, 0x2f, 0xdf, 0xaf, 0x16, 0xfe, 0xf6, 0xfd, 0x6a, 0xe1, + 0x9b, 0xb2, 0x39, 0xaf, 0xf9, 0xd1, 0x5c, 0xbd, 0xf4, 0xeb, 0xfa, 0xe4, 0x86, 0x2e, 0xfc, 0x4f, + 0xff, 0x15, 0x00, 0x00, 0xff, 0xff, 0x4a, 0x6e, 0xd7, 0x72, 0x43, 0x17, 0x00, 0x00, } func (m *MeshConfig) Marshal() (dAtA []byte, err error) { @@ -1886,6 +1927,18 @@ func (m *MeshConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.EnabledSpiffeMultipleIndependentTrustDomainAuthentication { + i-- + if m.EnabledSpiffeMultipleIndependentTrustDomainAuthentication { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x3 + i-- + dAtA[i] = 0xe0 + } if len(m.DiscoverySelectors) > 0 { for iNdEx := len(m.DiscoverySelectors) - 1; iNdEx >= 0; iNdEx-- { { @@ -2387,6 +2440,13 @@ func (m *MeshConfig_CertificateData) MarshalToSizedBuffer(dAtA []byte) (int, err i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if len(m.TrustDomain) > 0 { + i -= len(m.TrustDomain) + copy(dAtA[i:], m.TrustDomain) + i = encodeVarintConfig(dAtA, i, uint64(len(m.TrustDomain))) + i-- + dAtA[i] = 0x1a + } if m.CertificateData != nil { { size := m.CertificateData.Size() @@ -3149,6 +3209,9 @@ func (m *MeshConfig) Size() (n int) { n += 2 + l + sovConfig(uint64(l)) } } + if m.EnabledSpiffeMultipleIndependentTrustDomainAuthentication { + n += 3 + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -3179,6 +3242,10 @@ func (m *MeshConfig_CertificateData) Size() (n int) { if m.CertificateData != nil { n += m.CertificateData.Size() } + l = len(m.TrustDomain) + if l > 0 { + n += 1 + l + sovConfig(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -4697,6 +4764,26 @@ func (m *MeshConfig) Unmarshal(dAtA []byte) error { return err } iNdEx = postIndex + case 60: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field EnabledSpiffeMultipleIndependentTrustDomainAuthentication", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + m.EnabledSpiffeMultipleIndependentTrustDomainAuthentication = bool(v != 0) default: iNdEx = preIndex skippy, err := skipConfig(dAtA[iNdEx:]) @@ -4882,6 +4969,38 @@ func (m *MeshConfig_CertificateData) Unmarshal(dAtA []byte) error { } m.CertificateData = &MeshConfig_CertificateData_SpiffeBundleUrl{string(dAtA[iNdEx:postIndex])} iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field TrustDomain", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthConfig + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthConfig + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.TrustDomain = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipConfig(dAtA[iNdEx:]) diff --git a/mesh/v1alpha1/config.proto b/mesh/v1alpha1/config.proto index 8074a0201f6..725c4899cd8 100644 --- a/mesh/v1alpha1/config.proto +++ b/mesh/v1alpha1/config.proto @@ -222,6 +222,13 @@ message MeshConfig { // The certificate is retrieved from the endpoint. string spiffe_bundle_url = 2; } + + // Optional. Specify the trust domain to which this certificate data belongs. + // If `enabled_spiffe_multiple_independent_trust_domain_authentication` enabled, this must be set for + // distinguishing different trust domains from each other. Certificates in a same trust domain will be merged + // and used together to validate the trust domain. + // If `enabled_spiffe_multiple_independent_trust_domain_authentication` disabled, it is not necessary to set. + string trust_domain = 3; } // The extra root certificates for workload-to-workload communication. @@ -230,6 +237,25 @@ message MeshConfig { // The CA certificate that signs the workload certificates is automatically added by Istio Agent. repeated CertificateData ca_certificates = 58; + // If enabled, SPIFFE multiple independent trust domain authentication scheme is used for mTSL client certificate validation. + // That means, all the root certificates specified in `ca_certificates` and the self-signed 'istio-ca-secret' secret are used to + // validate client certificates while keeping them isolated from each other. + // More precisely, the proxy validates client certificates with the following procedure: + // 1. Extract the SVID(URI SAN) in an incoming client certificate. + // 2. Select a root certificate for the trust domain in the SVID (E.g. "example.com" for "spiffe://example.com/foo" SVID). + // 3. Verify the certificate using the selected root certificate. + // This is a particular importance for cross cluster mTLS communication where each cluster manages their own root certificates. + // For example, consider the case where a cluster A manages the trust domain "aaa.com", cluster B manages "bbb.com". + // When services in cluster A talk to services in cluster B, services in cluster B have to validate client certificates + // based on the root certificates of cluster A. However, if we merge root certificates from both cluster A and cluster B, + // then we cannot trust that presented client certificates are actually signed by the corresponding cluster. That is because + // cluster A might sign client certificates with "spiffe://bbb.com/**" URI SAN in order to bypass + // cluster B's authorization based on workload identity. In that case, we say these trust domains are NOT isolated from each other. + // This is why we need to select root certificates based on the trust domain before verify client certificates. + // + // Please note that this setting requires `STRICT` mTLS mode to take into effect. + bool enabled_spiffe_multiple_independent_trust_domain_authentication = 60; + // The default value for the ServiceEntry.export_to field and services // imported through container registry integrations, e.g. this applies to // Kubernetes Service resources. The value is a list of namespace names and diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json index 5e6c04d5984..d68721e078d 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json @@ -118,6 +118,10 @@ "format": "string" } }, + "enabledSpiffeMultipleIndependentTrustDomainAuthentication": { + "description": "If enabled, SPIFFE multiple independent trust domain authentication scheme is used for mTSL client certificate validation. That means, all the root certificates specified in `ca_certificates` and the self-signed 'istio-ca-secret' secret are used to validate client certificates while keeping them isolated from each other. More precisely, the proxy validates client certificates with the following procedure: 1. Extract the SVID(URI SAN) in an incoming client certificate. 2. Select a root certificate for the trust domain in the SVID (E.g. \"example.com\" for \"spiffe://example.com/foo\" SVID). 3. Verify the certificate using the selected root certificate. This is a particular importance for cross cluster mTLS communication where each cluster manages their own root certificates. For example, consider the case where a cluster A manages the trust domain \"aaa.com\", cluster B manages \"bbb.com\". When services in cluster A talk to services in cluster B, services in cluster B has to validate client certificates based on the root certificates of cluster A. However, if we merge root certificates from both cluster A and cluster B, then we cannot trust that presented client certificates are actually signed by the corresponding cluster. That is because cluster A might sign client certificates with \"spiffe://bbb.com/**\" URI SAN in order to bypass cluster B's authorization based on workload identity. In that case, we say these trust domains are NOT isolated from each other. This is why we need to select root certificates based on the trust domain before verify client certificates.", + "type": "boolean" + }, "defaultServiceExportTo": { "description": "The default value for the ServiceEntry.export_to field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use \"*\" as the default value which implies that services are exported to all namespaces.", "type": "array", @@ -408,6 +412,13 @@ }, "istio.mesh.v1alpha1.MeshConfig.CertificateData": { "type": "object", + "properties": { + "trustDomain": { + "description": "Optional. Specify the trust domain to which this certificate data belongs. If `enabled_spiffe_multiple_independent_trust_domain_authentication` enabled, this must be set for distinguishing different trust domains from each other. Certificates in a same trust domain will be merged and used together to validate the trust domain. If `enabled_spiffe_multiple_independent_trust_domain_authentication` disabled, it is not necessary to set.", + "type": "string", + "format": "string" + } + }, "oneOf": [ { "not": { diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index 9023b5e6b8c..295e0b5abc5 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -328,6 +328,33 @@

MeshConfig

are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent.

+ + +No + + + +enabledSpiffeMultipleIndependentTrustDomainAuthentication +bool + +

If enabled, SPIFFE multiple independent trust domain authentication scheme is used for mTSL client certificate validation. +That means, all the root certificates specified in ca_certificates and the self-signed ‘istio-ca-secret’ secret are used to +validate client certificates while keeping them isolated from each other. +More precisely, the proxy validates client certificates with the following procedure: +1. Extract the SVID(URI SAN) in an incoming client certificate. +2. Select a root certificate for the trust domain in the SVID (E.g. “example.com” for “spiffe://example.com/foo” SVID). +3. Verify the certificate using the selected root certificate. +This is a particular importance for cross cluster mTLS communication where each cluster manages their own root certificates. +For example, consider the case where a cluster A manages the trust domain “aaa.com”, cluster B manages “bbb.com”. +When services in cluster A talk to services in cluster B, services in cluster B has to validate client certificates +based on the root certificates of cluster A. However, if we merge root certificates from both cluster A and cluster B, +then we cannot trust that presented client certificates are actually signed by the corresponding cluster. That is because +cluster A might sign client certificates with “spiffe://bbb.com/**” URI SAN in order to bypass +cluster B’s authorization based on workload identity. In that case, we say these trust domains are NOT isolated from each other. +This is why we need to select root certificates based on the trust domain before verify client certificates.

+ +

Please note that this setting requires STRICT mTLS mode to take into effect.

+ No @@ -805,6 +832,21 @@

MeshConfig.CertificateData

https://github.com/spiffe/spiffe/blob/master/standards/SPIFFETrustDomainandBundle.md#521-web-pki The certificate is retrieved from the endpoint.

+ + +No + + + +trustDomain +string + +

Optional. Specify the trust domain to which this certificate data belongs. +If enabled_spiffe_multiple_independent_trust_domain_authentication enabled, this must be set for +distinguishing different trust domains from each other. Certificates in a same trust domain will be merged +and used together to validate the trust domain. +If enabled_spiffe_multiple_independent_trust_domain_authentication disabled, it is not necessary to set.

+ No diff --git a/python/istio_api/mesh/v1alpha1/config_pb2.py b/python/istio_api/mesh/v1alpha1/config_pb2.py index f2f855ef43a..e487c3b3f75 100644 --- a/python/istio_api/mesh/v1alpha1/config_pb2.py +++ b/python/istio_api/mesh/v1alpha1/config_pb2.py @@ -26,7 +26,7 @@ package='istio.mesh.v1alpha1', syntax='proto3', serialized_options=_b('Z\032istio.io/api/mesh/v1alpha1'), - serialized_pb=_b('\n\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a\x34k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto\"\xba(\n\nMeshConfig\x12*\n\x11proxy_listen_port\x18\x04 \x01(\x05R\x0fproxyListenPort\x12&\n\x0fproxy_http_port\x18\x05 \x01(\x05R\rproxyHttpPort\x12\x42\n\x0f\x63onnect_timeout\x18\x06 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x63onnectTimeout\x12W\n\x1aprotocol_detection_timeout\x18* \x01(\x0b\x32\x19.google.protobuf.DurationR\x18protocolDetectionTimeout\x12o\n\rtcp_keepalive\x18\x1c \x01(\x0b\x32J.istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveR\x0ctcpKeepalive\x12#\n\ringress_class\x18\x07 \x01(\tR\x0cingressClass\x12\'\n\x0fingress_service\x18\x08 \x01(\tR\x0eingressService\x12m\n\x17ingress_controller_mode\x18\t \x01(\x0e\x32\x35.istio.mesh.v1alpha1.MeshConfig.IngressControllerModeR\x15ingressControllerMode\x12)\n\x10ingress_selector\x18\x34 \x01(\tR\x0fingressSelector\x12%\n\x0e\x65nable_tracing\x18\x0c \x01(\x08R\renableTracing\x12&\n\x0f\x61\x63\x63\x65ss_log_file\x18\r \x01(\tR\raccessLogFile\x12*\n\x11\x61\x63\x63\x65ss_log_format\x18\x18 \x01(\tR\x0f\x61\x63\x63\x65ssLogFormat\x12\x61\n\x13\x61\x63\x63\x65ss_log_encoding\x18\x1b \x01(\x0e\x32\x31.istio.mesh.v1alpha1.MeshConfig.AccessLogEncodingR\x11\x61\x63\x63\x65ssLogEncoding\x12\x44\n\x1f\x65nable_envoy_access_log_service\x18( \x01(\x08R\x1b\x65nableEnvoyAccessLogService\x12;\n\x1a\x64isable_envoy_listener_log\x18\x38 \x01(\x08R\x17\x64isableEnvoyListenerLog\x12G\n\x0e\x64\x65\x66\x61ult_config\x18\x0e \x01(\x0b\x32 .istio.mesh.v1alpha1.ProxyConfigR\rdefaultConfig\x12m\n\x17outbound_traffic_policy\x18\x11 \x01(\x0b\x32\x35.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicyR\x15outboundTrafficPolicy\x12H\n\x0e\x63onfig_sources\x18\x16 \x03(\x0b\x32!.istio.mesh.v1alpha1.ConfigSourceR\rconfigSources\x12\x44\n\x10\x65nable_auto_mtls\x18+ \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x0e\x65nableAutoMtls\x12!\n\x0ctrust_domain\x18\x1a \x01(\tR\x0btrustDomain\x12\x30\n\x14trust_domain_aliases\x18. \x03(\tR\x12trustDomainAliases\x12X\n\x0f\x63\x61_certificates\x18: \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.CertificateDataR\x0e\x63\x61\x43\x65rtificates\x12\x39\n\x19\x64\x65\x66\x61ult_service_export_to\x18\x1f \x03(\tR\x16\x64\x65\x66\x61ultServiceExportTo\x12H\n!default_virtual_service_export_to\x18 \x03(\tR\x1d\x64\x65\x66\x61ultVirtualServiceExportTo\x12J\n\"default_destination_rule_export_to\x18! \x03(\tR\x1e\x64\x65\x66\x61ultDestinationRuleExportTo\x12%\n\x0eroot_namespace\x18\" \x01(\tR\rrootNamespace\x12\x66\n\x13locality_lb_setting\x18# \x01(\x0b\x32\x36.istio.networking.v1alpha3.LocalityLoadBalancerSettingR\x11localityLbSetting\x12\x43\n\x10\x64ns_refresh_rate\x18$ \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x64nsRefreshRate\x12[\n\x11h2_upgrade_policy\x18) \x01(\x0e\x32/.istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicyR\x0fh2UpgradePolicy\x12\x39\n\x19inbound_cluster_stat_name\x18, \x01(\tR\x16inboundClusterStatName\x12;\n\x1aoutbound_cluster_stat_name\x18- \x01(\tR\x17outboundClusterStatName\x12\x44\n\x0c\x63\x65rtificates\x18/ \x03(\x0b\x32 .istio.mesh.v1alpha1.CertificateR\x0c\x63\x65rtificates\x12Q\n\rthrift_config\x18\x31 \x01(\x0b\x32,.istio.mesh.v1alpha1.MeshConfig.ThriftConfigR\x0cthriftConfig\x12Z\n\x10service_settings\x18\x32 \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12R\n\x17\x65nable_prometheus_merge\x18\x33 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x15\x65nablePrometheusMerge\x12[\n\x1cverify_certificate_at_client\x18\x36 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x19verifyCertificateAtClient\x12\x32\n\x02\x63\x61\x18\x37 \x01(\x0b\x32\".istio.mesh.v1alpha1.MeshConfig.CAR\x02\x63\x61\x12\x62\n\x13\x65xtension_providers\x18\x39 \x03(\x0b\x32\x31.istio.mesh.v1alpha1.MeshConfig.ExtensionProviderR\x12\x65xtensionProviders\x12\x64\n\x13\x64iscovery_selectors\x18; \x03(\x0b\x32\x33.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x12\x64iscoverySelectors\x1a\xad\x01\n\x15OutboundTrafficPolicy\x12N\n\x04mode\x18\x01 \x01(\x0e\x32:.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.ModeR\x04mode\"D\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01\"\x04\x08\x02\x10\x02*\x14VIRTUAL_SERVICE_ONLY\x1ag\n\x0f\x43\x65rtificateData\x12\x12\n\x03pem\x18\x01 \x01(\tH\x00R\x03pem\x12,\n\x11spiffe_bundle_url\x18\x02 \x01(\tH\x00R\x0fspiffeBundleUrlB\x12\n\x10\x63\x65rtificate_data\x1a}\n\x0cThriftConfig\x12$\n\x0erate_limit_url\x18\x01 \x01(\tR\x0crateLimitUrl\x12G\n\x12rate_limit_timeout\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x10rateLimitTimeout\x1a\xae\x01\n\x0fServiceSettings\x12T\n\x08settings\x18\x01 \x01(\x0b\x32\x38.istio.mesh.v1alpha1.MeshConfig.ServiceSettings.SettingsR\x08settings\x12\x14\n\x05hosts\x18\x02 \x03(\tR\x05hosts\x1a/\n\x08Settings\x12#\n\rcluster_local\x18\x01 \x01(\x08R\x0c\x63lusterLocal\x1a\xd4\x01\n\x02\x43\x41\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12\x42\n\x0frequest_timeout\x18\x03 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0erequestTimeout\x12\x1f\n\x0bistiod_side\x18\x04 \x01(\x08R\nistiodSide\x1a\xe7\x06\n\x11\x45xtensionProvider\x12\x12\n\x04name\x18\x01 \x01(\tR\x04name\x12\x8b\x01\n\x14\x65nvoy_ext_authz_http\x18\x02 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProviderH\x00R\x11\x65nvoyExtAuthzHttp\x12\x8b\x01\n\x14\x65nvoy_ext_authz_grpc\x18\x03 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProviderH\x00R\x11\x65nvoyExtAuthzGrpc\x1a\xf7\x02\n&EnvoyExternalAuthorizationHttpProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1f\n\x0bpath_prefix\x18\x03 \x01(\tR\npathPrefix\x12\x1b\n\tfail_open\x18\x04 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x05 \x01(\tR\rstatusOnError\x12\x37\n\x18include_headers_in_check\x18\x06 \x03(\tR\x15includeHeadersInCheck\x12>\n\x1cheaders_to_upstream_on_allow\x18\x07 \x03(\tR\x18headersToUpstreamOnAllow\x12@\n\x1dheaders_to_downstream_on_deny\x18\x08 \x03(\tR\x19headersToDownstreamOnDeny\x1a\x9b\x01\n&EnvoyExternalAuthorizationGrpcProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1b\n\tfail_open\x18\x03 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x04 \x01(\tR\rstatusOnErrorB\n\n\x08provider\"J\n\x15IngressControllerMode\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x07\n\x03OFF\x10\x01\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x02\x12\n\n\x06STRICT\x10\x03\"&\n\nAuthPolicy\x12\x08\n\x04NONE\x10\x00\x12\x0e\n\nMUTUAL_TLS\x10\x01\"\'\n\x11\x41\x63\x63\x65ssLogEncoding\x12\x08\n\x04TEXT\x10\x00\x12\x08\n\x04JSON\x10\x01\"2\n\x0fH2UpgradePolicy\x12\x12\n\x0e\x44O_NOT_UPGRADE\x10\x00\x12\x0b\n\x07UPGRADE\x10\x01J\x04\x08\x01\x10\x02J\x04\x08\x02\x10\x03J\x04\x08\x03\x10\x04J\x04\x08\x30\x10\x31J\x04\x08\x19\x10\x1aJ\x04\x08\x1e\x10\x1fJ\x04\x08\n\x10\x0bJ\x04\x08\x0b\x10\x0cJ\x04\x08\x0f\x10\x10J\x04\x08\x10\x10\x11J\x04\x08\x12\x10\x13J\x04\x08\x13\x10\x14J\x04\x08\x14\x10\x15J\x04\x08\x15\x10\x16J\x04\x08\x17\x10\x18J\x04\x08\x1d\x10\x1eJ\x04\x08\x35\x10\x36J\x04\x08%\x10&J\x04\x08&\x10\'J\x04\x08\'\x10(R\x12mixer_check_serverR\x13mixer_report_serverR\x15\x64isable_policy_checksR\x1a\x64isable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\x0b\x61uth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1f\x65nable_client_side_policy_checkR\x0csds_uds_pathR\x11sds_refresh_delayR\x16\x65nable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14\x64isable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_time\"\xcb\x01\n\x0c\x43onfigSource\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12P\n\x14subscribed_resources\x18\x03 \x03(\x0e\x32\x1d.istio.mesh.v1alpha1.ResourceR\x13subscribedResources\"K\n\x0b\x43\x65rtificate\x12\x1f\n\x0bsecret_name\x18\x01 \x01(\tR\nsecretName\x12\x1b\n\tdns_names\x18\x02 \x03(\tR\x08\x64nsNames* \n\x08Resource\x12\x14\n\x10SERVICE_REGISTRY\x10\x00\x42\x1cZ\x1aistio.io/api/mesh/v1alpha1b\x06proto3') + serialized_pb=_b('\n\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a\x34k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto\"\xe3)\n\nMeshConfig\x12*\n\x11proxy_listen_port\x18\x04 \x01(\x05R\x0fproxyListenPort\x12&\n\x0fproxy_http_port\x18\x05 \x01(\x05R\rproxyHttpPort\x12\x42\n\x0f\x63onnect_timeout\x18\x06 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x63onnectTimeout\x12W\n\x1aprotocol_detection_timeout\x18* \x01(\x0b\x32\x19.google.protobuf.DurationR\x18protocolDetectionTimeout\x12o\n\rtcp_keepalive\x18\x1c \x01(\x0b\x32J.istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveR\x0ctcpKeepalive\x12#\n\ringress_class\x18\x07 \x01(\tR\x0cingressClass\x12\'\n\x0fingress_service\x18\x08 \x01(\tR\x0eingressService\x12m\n\x17ingress_controller_mode\x18\t \x01(\x0e\x32\x35.istio.mesh.v1alpha1.MeshConfig.IngressControllerModeR\x15ingressControllerMode\x12)\n\x10ingress_selector\x18\x34 \x01(\tR\x0fingressSelector\x12%\n\x0e\x65nable_tracing\x18\x0c \x01(\x08R\renableTracing\x12&\n\x0f\x61\x63\x63\x65ss_log_file\x18\r \x01(\tR\raccessLogFile\x12*\n\x11\x61\x63\x63\x65ss_log_format\x18\x18 \x01(\tR\x0f\x61\x63\x63\x65ssLogFormat\x12\x61\n\x13\x61\x63\x63\x65ss_log_encoding\x18\x1b \x01(\x0e\x32\x31.istio.mesh.v1alpha1.MeshConfig.AccessLogEncodingR\x11\x61\x63\x63\x65ssLogEncoding\x12\x44\n\x1f\x65nable_envoy_access_log_service\x18( \x01(\x08R\x1b\x65nableEnvoyAccessLogService\x12;\n\x1a\x64isable_envoy_listener_log\x18\x38 \x01(\x08R\x17\x64isableEnvoyListenerLog\x12G\n\x0e\x64\x65\x66\x61ult_config\x18\x0e \x01(\x0b\x32 .istio.mesh.v1alpha1.ProxyConfigR\rdefaultConfig\x12m\n\x17outbound_traffic_policy\x18\x11 \x01(\x0b\x32\x35.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicyR\x15outboundTrafficPolicy\x12H\n\x0e\x63onfig_sources\x18\x16 \x03(\x0b\x32!.istio.mesh.v1alpha1.ConfigSourceR\rconfigSources\x12\x44\n\x10\x65nable_auto_mtls\x18+ \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x0e\x65nableAutoMtls\x12!\n\x0ctrust_domain\x18\x1a \x01(\tR\x0btrustDomain\x12\x30\n\x14trust_domain_aliases\x18. \x03(\tR\x12trustDomainAliases\x12X\n\x0f\x63\x61_certificates\x18: \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.CertificateDataR\x0e\x63\x61\x43\x65rtificates\x12\x82\x01\n?enabled_spiffe_multiple_independent_trust_domain_authentication\x18< \x01(\x08R9enabledSpiffeMultipleIndependentTrustDomainAuthentication\x12\x39\n\x19\x64\x65\x66\x61ult_service_export_to\x18\x1f \x03(\tR\x16\x64\x65\x66\x61ultServiceExportTo\x12H\n!default_virtual_service_export_to\x18 \x03(\tR\x1d\x64\x65\x66\x61ultVirtualServiceExportTo\x12J\n\"default_destination_rule_export_to\x18! \x03(\tR\x1e\x64\x65\x66\x61ultDestinationRuleExportTo\x12%\n\x0eroot_namespace\x18\" \x01(\tR\rrootNamespace\x12\x66\n\x13locality_lb_setting\x18# \x01(\x0b\x32\x36.istio.networking.v1alpha3.LocalityLoadBalancerSettingR\x11localityLbSetting\x12\x43\n\x10\x64ns_refresh_rate\x18$ \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x64nsRefreshRate\x12[\n\x11h2_upgrade_policy\x18) \x01(\x0e\x32/.istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicyR\x0fh2UpgradePolicy\x12\x39\n\x19inbound_cluster_stat_name\x18, \x01(\tR\x16inboundClusterStatName\x12;\n\x1aoutbound_cluster_stat_name\x18- \x01(\tR\x17outboundClusterStatName\x12\x44\n\x0c\x63\x65rtificates\x18/ \x03(\x0b\x32 .istio.mesh.v1alpha1.CertificateR\x0c\x63\x65rtificates\x12Q\n\rthrift_config\x18\x31 \x01(\x0b\x32,.istio.mesh.v1alpha1.MeshConfig.ThriftConfigR\x0cthriftConfig\x12Z\n\x10service_settings\x18\x32 \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12R\n\x17\x65nable_prometheus_merge\x18\x33 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x15\x65nablePrometheusMerge\x12[\n\x1cverify_certificate_at_client\x18\x36 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x19verifyCertificateAtClient\x12\x32\n\x02\x63\x61\x18\x37 \x01(\x0b\x32\".istio.mesh.v1alpha1.MeshConfig.CAR\x02\x63\x61\x12\x62\n\x13\x65xtension_providers\x18\x39 \x03(\x0b\x32\x31.istio.mesh.v1alpha1.MeshConfig.ExtensionProviderR\x12\x65xtensionProviders\x12\x64\n\x13\x64iscovery_selectors\x18; \x03(\x0b\x32\x33.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x12\x64iscoverySelectors\x1a\xad\x01\n\x15OutboundTrafficPolicy\x12N\n\x04mode\x18\x01 \x01(\x0e\x32:.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.ModeR\x04mode\"D\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01\"\x04\x08\x02\x10\x02*\x14VIRTUAL_SERVICE_ONLY\x1a\x8a\x01\n\x0f\x43\x65rtificateData\x12\x12\n\x03pem\x18\x01 \x01(\tH\x00R\x03pem\x12,\n\x11spiffe_bundle_url\x18\x02 \x01(\tH\x00R\x0fspiffeBundleUrl\x12!\n\x0ctrust_domain\x18\x03 \x01(\tR\x0btrustDomainB\x12\n\x10\x63\x65rtificate_data\x1a}\n\x0cThriftConfig\x12$\n\x0erate_limit_url\x18\x01 \x01(\tR\x0crateLimitUrl\x12G\n\x12rate_limit_timeout\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x10rateLimitTimeout\x1a\xae\x01\n\x0fServiceSettings\x12T\n\x08settings\x18\x01 \x01(\x0b\x32\x38.istio.mesh.v1alpha1.MeshConfig.ServiceSettings.SettingsR\x08settings\x12\x14\n\x05hosts\x18\x02 \x03(\tR\x05hosts\x1a/\n\x08Settings\x12#\n\rcluster_local\x18\x01 \x01(\x08R\x0c\x63lusterLocal\x1a\xd4\x01\n\x02\x43\x41\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12\x42\n\x0frequest_timeout\x18\x03 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0erequestTimeout\x12\x1f\n\x0bistiod_side\x18\x04 \x01(\x08R\nistiodSide\x1a\xe7\x06\n\x11\x45xtensionProvider\x12\x12\n\x04name\x18\x01 \x01(\tR\x04name\x12\x8b\x01\n\x14\x65nvoy_ext_authz_http\x18\x02 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProviderH\x00R\x11\x65nvoyExtAuthzHttp\x12\x8b\x01\n\x14\x65nvoy_ext_authz_grpc\x18\x03 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProviderH\x00R\x11\x65nvoyExtAuthzGrpc\x1a\xf7\x02\n&EnvoyExternalAuthorizationHttpProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1f\n\x0bpath_prefix\x18\x03 \x01(\tR\npathPrefix\x12\x1b\n\tfail_open\x18\x04 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x05 \x01(\tR\rstatusOnError\x12\x37\n\x18include_headers_in_check\x18\x06 \x03(\tR\x15includeHeadersInCheck\x12>\n\x1cheaders_to_upstream_on_allow\x18\x07 \x03(\tR\x18headersToUpstreamOnAllow\x12@\n\x1dheaders_to_downstream_on_deny\x18\x08 \x03(\tR\x19headersToDownstreamOnDeny\x1a\x9b\x01\n&EnvoyExternalAuthorizationGrpcProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1b\n\tfail_open\x18\x03 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x04 \x01(\tR\rstatusOnErrorB\n\n\x08provider\"J\n\x15IngressControllerMode\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x07\n\x03OFF\x10\x01\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x02\x12\n\n\x06STRICT\x10\x03\"&\n\nAuthPolicy\x12\x08\n\x04NONE\x10\x00\x12\x0e\n\nMUTUAL_TLS\x10\x01\"\'\n\x11\x41\x63\x63\x65ssLogEncoding\x12\x08\n\x04TEXT\x10\x00\x12\x08\n\x04JSON\x10\x01\"2\n\x0fH2UpgradePolicy\x12\x12\n\x0e\x44O_NOT_UPGRADE\x10\x00\x12\x0b\n\x07UPGRADE\x10\x01J\x04\x08\x01\x10\x02J\x04\x08\x02\x10\x03J\x04\x08\x03\x10\x04J\x04\x08\x30\x10\x31J\x04\x08\x19\x10\x1aJ\x04\x08\x1e\x10\x1fJ\x04\x08\n\x10\x0bJ\x04\x08\x0b\x10\x0cJ\x04\x08\x0f\x10\x10J\x04\x08\x10\x10\x11J\x04\x08\x12\x10\x13J\x04\x08\x13\x10\x14J\x04\x08\x14\x10\x15J\x04\x08\x15\x10\x16J\x04\x08\x17\x10\x18J\x04\x08\x1d\x10\x1eJ\x04\x08\x35\x10\x36J\x04\x08%\x10&J\x04\x08&\x10\'J\x04\x08\'\x10(R\x12mixer_check_serverR\x13mixer_report_serverR\x15\x64isable_policy_checksR\x1a\x64isable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\x0b\x61uth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1f\x65nable_client_side_policy_checkR\x0csds_uds_pathR\x11sds_refresh_delayR\x16\x65nable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14\x64isable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_time\"\xcb\x01\n\x0c\x43onfigSource\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12P\n\x14subscribed_resources\x18\x03 \x03(\x0e\x32\x1d.istio.mesh.v1alpha1.ResourceR\x13subscribedResources\"K\n\x0b\x43\x65rtificate\x12\x1f\n\x0bsecret_name\x18\x01 \x01(\tR\nsecretName\x12\x1b\n\tdns_names\x18\x02 \x03(\tR\x08\x64nsNames* \n\x08Resource\x12\x14\n\x10SERVICE_REGISTRY\x10\x00\x42\x1cZ\x1aistio.io/api/mesh/v1alpha1b\x06proto3') , dependencies=[google_dot_protobuf_dot_duration__pb2.DESCRIPTOR,google_dot_protobuf_dot_wrappers__pb2.DESCRIPTOR,mesh_dot_v1alpha1_dot_proxy__pb2.DESCRIPTOR,networking_dot_v1alpha3_dot_destination__rule__pb2.DESCRIPTOR,k8s_dot_io_dot_apimachinery_dot_pkg_dot_apis_dot_meta_dot_v1_dot_generated__pb2.DESCRIPTOR,]) @@ -43,8 +43,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=5704, - serialized_end=5736, + serialized_start=5873, + serialized_end=5905, ) _sym_db.RegisterEnumDescriptor(_RESOURCE) @@ -69,8 +69,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=3113, - serialized_end=3181, + serialized_start=3246, + serialized_end=3314, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_OUTBOUNDTRAFFICPOLICY_MODE) @@ -99,8 +99,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=4681, - serialized_end=4755, + serialized_start=4850, + serialized_end=4924, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_INGRESSCONTROLLERMODE) @@ -121,8 +121,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=4757, - serialized_end=4795, + serialized_start=4926, + serialized_end=4964, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_AUTHPOLICY) @@ -143,8 +143,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=4797, - serialized_end=4836, + serialized_start=4966, + serialized_end=5005, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_ACCESSLOGENCODING) @@ -165,8 +165,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=4838, - serialized_end=4888, + serialized_start=5007, + serialized_end=5057, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_H2UPGRADEPOLICY) @@ -198,8 +198,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=3008, - serialized_end=3181, + serialized_start=3141, + serialized_end=3314, ) _MESHCONFIG_CERTIFICATEDATA = _descriptor.Descriptor( @@ -223,6 +223,13 @@ message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='spiffeBundleUrl', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='trust_domain', full_name='istio.mesh.v1alpha1.MeshConfig.CertificateData.trust_domain', index=2, + number=3, type=9, cpp_type=9, label=1, + has_default_value=False, default_value=_b("").decode('utf-8'), + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='trustDomain', file=DESCRIPTOR), ], extensions=[ ], @@ -238,8 +245,8 @@ name='certificate_data', full_name='istio.mesh.v1alpha1.MeshConfig.CertificateData.certificate_data', index=0, containing_type=None, fields=[]), ], - serialized_start=3183, - serialized_end=3286, + serialized_start=3317, + serialized_end=3455, ) _MESHCONFIG_THRIFTCONFIG = _descriptor.Descriptor( @@ -275,8 +282,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=3288, - serialized_end=3413, + serialized_start=3457, + serialized_end=3582, ) _MESHCONFIG_SERVICESETTINGS_SETTINGS = _descriptor.Descriptor( @@ -305,8 +312,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=3543, - serialized_end=3590, + serialized_start=3712, + serialized_end=3759, ) _MESHCONFIG_SERVICESETTINGS = _descriptor.Descriptor( @@ -342,8 +349,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=3416, - serialized_end=3590, + serialized_start=3585, + serialized_end=3759, ) _MESHCONFIG_CA = _descriptor.Descriptor( @@ -393,8 +400,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=3593, - serialized_end=3805, + serialized_start=3762, + serialized_end=3974, ) _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER = _descriptor.Descriptor( @@ -472,8 +479,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=4134, - serialized_end=4509, + serialized_start=4303, + serialized_end=4678, ) _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONGRPCPROVIDER = _descriptor.Descriptor( @@ -523,8 +530,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=4512, - serialized_end=4667, + serialized_start=4681, + serialized_end=4836, ) _MESHCONFIG_EXTENSIONPROVIDER = _descriptor.Descriptor( @@ -570,8 +577,8 @@ name='provider', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.provider', index=0, containing_type=None, fields=[]), ], - serialized_start=3808, - serialized_end=4679, + serialized_start=3977, + serialized_end=4848, ) _MESHCONFIG = _descriptor.Descriptor( @@ -736,119 +743,126 @@ is_extension=False, extension_scope=None, serialized_options=None, json_name='caCertificates', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='default_service_export_to', full_name='istio.mesh.v1alpha1.MeshConfig.default_service_export_to', index=22, + name='enabled_spiffe_multiple_independent_trust_domain_authentication', full_name='istio.mesh.v1alpha1.MeshConfig.enabled_spiffe_multiple_independent_trust_domain_authentication', index=22, + number=60, type=8, cpp_type=7, label=1, + has_default_value=False, default_value=False, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='enabledSpiffeMultipleIndependentTrustDomainAuthentication', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='default_service_export_to', full_name='istio.mesh.v1alpha1.MeshConfig.default_service_export_to', index=23, number=31, type=9, cpp_type=9, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='defaultServiceExportTo', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='default_virtual_service_export_to', full_name='istio.mesh.v1alpha1.MeshConfig.default_virtual_service_export_to', index=23, + name='default_virtual_service_export_to', full_name='istio.mesh.v1alpha1.MeshConfig.default_virtual_service_export_to', index=24, number=32, type=9, cpp_type=9, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='defaultVirtualServiceExportTo', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='default_destination_rule_export_to', full_name='istio.mesh.v1alpha1.MeshConfig.default_destination_rule_export_to', index=24, + name='default_destination_rule_export_to', full_name='istio.mesh.v1alpha1.MeshConfig.default_destination_rule_export_to', index=25, number=33, type=9, cpp_type=9, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='defaultDestinationRuleExportTo', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='root_namespace', full_name='istio.mesh.v1alpha1.MeshConfig.root_namespace', index=25, + name='root_namespace', full_name='istio.mesh.v1alpha1.MeshConfig.root_namespace', index=26, number=34, type=9, cpp_type=9, label=1, has_default_value=False, default_value=_b("").decode('utf-8'), message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='rootNamespace', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='locality_lb_setting', full_name='istio.mesh.v1alpha1.MeshConfig.locality_lb_setting', index=26, + name='locality_lb_setting', full_name='istio.mesh.v1alpha1.MeshConfig.locality_lb_setting', index=27, number=35, type=11, cpp_type=10, label=1, has_default_value=False, default_value=None, message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='localityLbSetting', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='dns_refresh_rate', full_name='istio.mesh.v1alpha1.MeshConfig.dns_refresh_rate', index=27, + name='dns_refresh_rate', full_name='istio.mesh.v1alpha1.MeshConfig.dns_refresh_rate', index=28, number=36, type=11, cpp_type=10, label=1, has_default_value=False, default_value=None, message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='dnsRefreshRate', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='h2_upgrade_policy', full_name='istio.mesh.v1alpha1.MeshConfig.h2_upgrade_policy', index=28, + name='h2_upgrade_policy', full_name='istio.mesh.v1alpha1.MeshConfig.h2_upgrade_policy', index=29, number=41, type=14, cpp_type=8, label=1, has_default_value=False, default_value=0, message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='h2UpgradePolicy', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='inbound_cluster_stat_name', full_name='istio.mesh.v1alpha1.MeshConfig.inbound_cluster_stat_name', index=29, + name='inbound_cluster_stat_name', full_name='istio.mesh.v1alpha1.MeshConfig.inbound_cluster_stat_name', index=30, number=44, type=9, cpp_type=9, label=1, has_default_value=False, default_value=_b("").decode('utf-8'), message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='inboundClusterStatName', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='outbound_cluster_stat_name', full_name='istio.mesh.v1alpha1.MeshConfig.outbound_cluster_stat_name', index=30, + name='outbound_cluster_stat_name', full_name='istio.mesh.v1alpha1.MeshConfig.outbound_cluster_stat_name', index=31, number=45, type=9, cpp_type=9, label=1, has_default_value=False, default_value=_b("").decode('utf-8'), message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='outboundClusterStatName', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='certificates', full_name='istio.mesh.v1alpha1.MeshConfig.certificates', index=31, + name='certificates', full_name='istio.mesh.v1alpha1.MeshConfig.certificates', index=32, number=47, type=11, cpp_type=10, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='certificates', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='thrift_config', full_name='istio.mesh.v1alpha1.MeshConfig.thrift_config', index=32, + name='thrift_config', full_name='istio.mesh.v1alpha1.MeshConfig.thrift_config', index=33, number=49, type=11, cpp_type=10, label=1, has_default_value=False, default_value=None, message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='thriftConfig', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='service_settings', full_name='istio.mesh.v1alpha1.MeshConfig.service_settings', index=33, + name='service_settings', full_name='istio.mesh.v1alpha1.MeshConfig.service_settings', index=34, number=50, type=11, cpp_type=10, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='serviceSettings', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='enable_prometheus_merge', full_name='istio.mesh.v1alpha1.MeshConfig.enable_prometheus_merge', index=34, + name='enable_prometheus_merge', full_name='istio.mesh.v1alpha1.MeshConfig.enable_prometheus_merge', index=35, number=51, type=11, cpp_type=10, label=1, has_default_value=False, default_value=None, message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='enablePrometheusMerge', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='verify_certificate_at_client', full_name='istio.mesh.v1alpha1.MeshConfig.verify_certificate_at_client', index=35, + name='verify_certificate_at_client', full_name='istio.mesh.v1alpha1.MeshConfig.verify_certificate_at_client', index=36, number=54, type=11, cpp_type=10, label=1, has_default_value=False, default_value=None, message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='verifyCertificateAtClient', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='ca', full_name='istio.mesh.v1alpha1.MeshConfig.ca', index=36, + name='ca', full_name='istio.mesh.v1alpha1.MeshConfig.ca', index=37, number=55, type=11, cpp_type=10, label=1, has_default_value=False, default_value=None, message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='ca', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='extension_providers', full_name='istio.mesh.v1alpha1.MeshConfig.extension_providers', index=37, + name='extension_providers', full_name='istio.mesh.v1alpha1.MeshConfig.extension_providers', index=38, number=57, type=11, cpp_type=10, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='extensionProviders', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='discovery_selectors', full_name='istio.mesh.v1alpha1.MeshConfig.discovery_selectors', index=38, + name='discovery_selectors', full_name='istio.mesh.v1alpha1.MeshConfig.discovery_selectors', index=39, number=59, type=11, cpp_type=10, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, @@ -871,7 +885,7 @@ oneofs=[ ], serialized_start=241, - serialized_end=5419, + serialized_end=5588, ) @@ -915,8 +929,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5422, - serialized_end=5625, + serialized_start=5591, + serialized_end=5794, ) @@ -953,8 +967,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5627, - serialized_end=5702, + serialized_start=5796, + serialized_end=5871, ) _MESHCONFIG_OUTBOUNDTRAFFICPOLICY.fields_by_name['mode'].enum_type = _MESHCONFIG_OUTBOUNDTRAFFICPOLICY_MODE diff --git a/python/istio_api/security/v1beta1/authorization_policy_pb2.py b/python/istio_api/security/v1beta1/authorization_policy_pb2.py index 5413e0f942d..99061fe3d05 100644 --- a/python/istio_api/security/v1beta1/authorization_policy_pb2.py +++ b/python/istio_api/security/v1beta1/authorization_policy_pb2.py @@ -22,7 +22,7 @@ package='istio.security.v1beta1', syntax='proto3', serialized_options=_b('Z\035istio.io/api/security/v1beta1'), - serialized_pb=_b('\n+security/v1beta1/authorization_policy.proto\x12\x16istio.security.v1beta1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1btype/v1beta1/selector.proto\"\xa4\x03\n\x13\x41uthorizationPolicy\x12@\n\x08selector\x18\x01 \x01(\x0b\x32$.istio.type.v1beta1.WorkloadSelectorR\x08selector\x12\x32\n\x05rules\x18\x02 \x03(\x0b\x32\x1c.istio.security.v1beta1.RuleR\x05rules\x12J\n\x06\x61\x63tion\x18\x03 \x01(\x0e\x32\x32.istio.security.v1beta1.AuthorizationPolicy.ActionR\x06\x61\x63tion\x12[\n\x08provider\x18\x04 \x01(\x0b\x32=.istio.security.v1beta1.AuthorizationPolicy.ExtensionProviderH\x00R\x08provider\x1a\'\n\x11\x45xtensionProvider\x12\x12\n\x04name\x18\x01 \x01(\tR\x04name\"4\n\x06\x41\x63tion\x12\t\n\x05\x41LLOW\x10\x00\x12\x08\n\x04\x44\x45NY\x10\x01\x12\t\n\x05\x41UDIT\x10\x02\x12\n\n\x06\x43USTOM\x10\x03\x42\x0f\n\raction_detail\"\xac\x02\n\x04Rule\x12\x35\n\x04\x66rom\x18\x01 \x03(\x0b\x32!.istio.security.v1beta1.Rule.FromR\x04\x66rom\x12/\n\x02to\x18\x02 \x03(\x0b\x32\x1f.istio.security.v1beta1.Rule.ToR\x02to\x12\x35\n\x04when\x18\x03 \x03(\x0b\x32!.istio.security.v1beta1.ConditionR\x04when\x1a>\n\x04\x46rom\x12\x36\n\x06source\x18\x01 \x01(\x0b\x32\x1e.istio.security.v1beta1.SourceR\x06source\x1a\x45\n\x02To\x12?\n\toperation\x18\x01 \x01(\x0b\x32!.istio.security.v1beta1.OperationR\toperation\"\x97\x03\n\x06Source\x12\x1e\n\nprincipals\x18\x01 \x03(\tR\nprincipals\x12%\n\x0enot_principals\x18\x05 \x03(\tR\rnotPrincipals\x12-\n\x12request_principals\x18\x02 \x03(\tR\x11requestPrincipals\x12\x34\n\x16not_request_principals\x18\x06 \x03(\tR\x14notRequestPrincipals\x12\x1e\n\nnamespaces\x18\x03 \x03(\tR\nnamespaces\x12%\n\x0enot_namespaces\x18\x07 \x03(\tR\rnotNamespaces\x12\x1b\n\tip_blocks\x18\x04 \x03(\tR\x08ipBlocks\x12\"\n\rnot_ip_blocks\x18\x08 \x03(\tR\x0bnotIpBlocks\x12(\n\x10remote_ip_blocks\x18\t \x03(\tR\x0eremoteIpBlocks\x12/\n\x14not_remote_ip_blocks\x18\n \x03(\tR\x11notRemoteIpBlocks\"\xdf\x01\n\tOperation\x12\x14\n\x05hosts\x18\x01 \x03(\tR\x05hosts\x12\x1b\n\tnot_hosts\x18\x05 \x03(\tR\x08notHosts\x12\x14\n\x05ports\x18\x02 \x03(\tR\x05ports\x12\x1b\n\tnot_ports\x18\x06 \x03(\tR\x08notPorts\x12\x18\n\x07methods\x18\x03 \x03(\tR\x07methods\x12\x1f\n\x0bnot_methods\x18\x07 \x03(\tR\nnotMethods\x12\x14\n\x05paths\x18\x04 \x03(\tR\x05paths\x12\x1b\n\tnot_paths\x18\x08 \x03(\tR\x08notPaths\"Z\n\tCondition\x12\x16\n\x03key\x18\x01 \x01(\tB\x04\xe2\x41\x01\x02R\x03key\x12\x16\n\x06values\x18\x02 \x03(\tR\x06values\x12\x1d\n\nnot_values\x18\x03 \x03(\tR\tnotValuesB\x1fZ\x1distio.io/api/security/v1beta1b\x06proto3') + serialized_pb=_b('\n+security/v1beta1/authorization_policy.proto\x12\x16istio.security.v1beta1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1btype/v1beta1/selector.proto\"\xa4\x03\n\x13\x41uthorizationPolicy\x12@\n\x08selector\x18\x01 \x01(\x0b\x32$.istio.type.v1beta1.WorkloadSelectorR\x08selector\x12\x32\n\x05rules\x18\x02 \x03(\x0b\x32\x1c.istio.security.v1beta1.RuleR\x05rules\x12J\n\x06\x61\x63tion\x18\x03 \x01(\x0e\x32\x32.istio.security.v1beta1.AuthorizationPolicy.ActionR\x06\x61\x63tion\x12[\n\x08provider\x18\x04 \x01(\x0b\x32=.istio.security.v1beta1.AuthorizationPolicy.ExtensionProviderH\x00R\x08provider\x1a\'\n\x11\x45xtensionProvider\x12\x12\n\x04name\x18\x01 \x01(\tR\x04name\"4\n\x06\x41\x63tion\x12\t\n\x05\x41LLOW\x10\x00\x12\x08\n\x04\x44\x45NY\x10\x01\x12\t\n\x05\x41UDIT\x10\x02\x12\n\n\x06\x43USTOM\x10\x03\x42\x0f\n\raction_detail\"\xac\x02\n\x04Rule\x12\x35\n\x04\x66rom\x18\x01 \x03(\x0b\x32!.istio.security.v1beta1.Rule.FromR\x04\x66rom\x12/\n\x02to\x18\x02 \x03(\x0b\x32\x1f.istio.security.v1beta1.Rule.ToR\x02to\x12\x35\n\x04when\x18\x03 \x03(\x0b\x32!.istio.security.v1beta1.ConditionR\x04when\x1a>\n\x04\x46rom\x12\x36\n\x06source\x18\x01 \x01(\x0b\x32\x1e.istio.security.v1beta1.SourceR\x06source\x1a\x45\n\x02To\x12?\n\toperation\x18\x01 \x01(\x0b\x32!.istio.security.v1beta1.OperationR\toperation\"\xbc\x03\n\x06Source\x12\x1e\n\nprincipals\x18\x01 \x03(\tR\nprincipals\x12%\n\x0enot_principals\x18\x05 \x03(\tR\rnotPrincipals\x12-\n\x12request_principals\x18\x02 \x03(\tR\x11requestPrincipals\x12\x34\n\x16not_request_principals\x18\x06 \x03(\tR\x14notRequestPrincipals\x12\x1e\n\nnamespaces\x18\x03 \x03(\tR\nnamespaces\x12%\n\x0enot_namespaces\x18\x07 \x03(\tR\rnotNamespaces\x12\x1b\n\tip_blocks\x18\x04 \x03(\tR\x08ipBlocks\x12\"\n\rnot_ip_blocks\x18\x08 \x03(\tR\x0bnotIpBlocks\x12(\n\x10remote_ip_blocks\x18\t \x03(\tR\x0eremoteIpBlocks\x12/\n\x14not_remote_ip_blocks\x18\n \x03(\tR\x11notRemoteIpBlocks\x12#\n\rtrust_domains\x18\x0b \x03(\tR\x0ctrustDomains\"\xdf\x01\n\tOperation\x12\x14\n\x05hosts\x18\x01 \x03(\tR\x05hosts\x12\x1b\n\tnot_hosts\x18\x05 \x03(\tR\x08notHosts\x12\x14\n\x05ports\x18\x02 \x03(\tR\x05ports\x12\x1b\n\tnot_ports\x18\x06 \x03(\tR\x08notPorts\x12\x18\n\x07methods\x18\x03 \x03(\tR\x07methods\x12\x1f\n\x0bnot_methods\x18\x07 \x03(\tR\nnotMethods\x12\x14\n\x05paths\x18\x04 \x03(\tR\x05paths\x12\x1b\n\tnot_paths\x18\x08 \x03(\tR\x08notPaths\"Z\n\tCondition\x12\x16\n\x03key\x18\x01 \x01(\tB\x04\xe2\x41\x01\x02R\x03key\x12\x16\n\x06values\x18\x02 \x03(\tR\x06values\x12\x1d\n\nnot_values\x18\x03 \x03(\tR\tnotValuesB\x1fZ\x1distio.io/api/security/v1beta1b\x06proto3') , dependencies=[google_dot_api_dot_field__behavior__pb2.DESCRIPTOR,type_dot_v1beta1_dot_selector__pb2.DESCRIPTOR,]) @@ -327,6 +327,13 @@ message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='notRemoteIpBlocks', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='trust_domains', full_name='istio.security.v1beta1.Source.trust_domains', index=10, + number=11, type=9, cpp_type=9, label=3, + has_default_value=False, default_value=[], + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='trustDomains', file=DESCRIPTOR), ], extensions=[ ], @@ -340,7 +347,7 @@ oneofs=[ ], serialized_start=860, - serialized_end=1267, + serialized_end=1304, ) @@ -419,8 +426,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=1270, - serialized_end=1493, + serialized_start=1307, + serialized_end=1530, ) @@ -464,8 +471,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=1495, - serialized_end=1585, + serialized_start=1532, + serialized_end=1622, ) _AUTHORIZATIONPOLICY_EXTENSIONPROVIDER.containing_type = _AUTHORIZATIONPOLICY diff --git a/security/v1beta1/authorization_policy.gen.json b/security/v1beta1/authorization_policy.gen.json index 3104a218cbe..e4bfd3b9b52 100644 --- a/security/v1beta1/authorization_policy.gen.json +++ b/security/v1beta1/authorization_policy.gen.json @@ -228,6 +228,14 @@ "type": "string", "format": "string" } + }, + "trustDomains": { + "description": "Optional. A list of trust domains of client certificates. This field requires mTLS enabled.", + "type": "array", + "items": { + "type": "string", + "format": "string" + } } } }, diff --git a/security/v1beta1/authorization_policy.pb.go b/security/v1beta1/authorization_policy.pb.go index 44021a6f267..fe9755b0204 100644 --- a/security/v1beta1/authorization_policy.pb.go +++ b/security/v1beta1/authorization_policy.pb.go @@ -685,7 +685,10 @@ type Source struct { // If not set, any IP is allowed. RemoteIpBlocks []string `protobuf:"bytes,9,rep,name=remote_ip_blocks,json=remoteIpBlocks,proto3" json:"remote_ip_blocks,omitempty"` // Optional. A list of negative match of remote IP blocks. - NotRemoteIpBlocks []string `protobuf:"bytes,10,rep,name=not_remote_ip_blocks,json=notRemoteIpBlocks,proto3" json:"not_remote_ip_blocks,omitempty"` + NotRemoteIpBlocks []string `protobuf:"bytes,10,rep,name=not_remote_ip_blocks,json=notRemoteIpBlocks,proto3" json:"not_remote_ip_blocks,omitempty"` + // Optional. A list of trust domains of client certificates. + // This field requires mTLS enabled. + TrustDomains []string `protobuf:"bytes,11,rep,name=trust_domains,json=trustDomains,proto3" json:"trust_domains,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -794,6 +797,13 @@ func (m *Source) GetNotRemoteIpBlocks() []string { return nil } +func (m *Source) GetTrustDomains() []string { + if m != nil { + return m.TrustDomains + } + return nil +} + // Operation specifies the operations of a request. Fields in the operation are // ANDed together. // @@ -1014,55 +1024,57 @@ func init() { } var fileDescriptor_438e25379256bb35 = []byte{ - // 768 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x95, 0xdd, 0x6e, 0xe3, 0x44, - 0x14, 0xc7, 0xd7, 0x8e, 0xe3, 0xc6, 0xa7, 0xda, 0x92, 0x1d, 0xa2, 0x28, 0xca, 0xb2, 0x69, 0x89, - 0x40, 0x44, 0x5a, 0xe1, 0x68, 0xc3, 0xc2, 0x1d, 0x1f, 0xc9, 0x6e, 0xd1, 0x16, 0xf5, 0x4b, 0x6e, - 0x4a, 0x45, 0xb9, 0xb0, 0x1c, 0x67, 0xda, 0x8c, 0xea, 0xf8, 0x98, 0xf1, 0x24, 0x10, 0x5e, 0x84, - 0x17, 0xe0, 0x92, 0x07, 0xe1, 0x92, 0x37, 0x00, 0xe5, 0x49, 0xd0, 0xcc, 0xd8, 0x8e, 0xe9, 0x97, - 0xc4, 0x5d, 0xce, 0x9c, 0xdf, 0xff, 0x9c, 0x33, 0xff, 0x63, 0x3b, 0xf0, 0x32, 0xa5, 0xe1, 0x82, - 0x33, 0xb1, 0xea, 0x2f, 0x5f, 0x4d, 0xa8, 0x08, 0x5e, 0xf5, 0x83, 0x85, 0x98, 0x21, 0x67, 0xbf, - 0x06, 0x82, 0x61, 0xec, 0x27, 0x18, 0xb1, 0x70, 0xe5, 0x26, 0x1c, 0x05, 0x92, 0x26, 0x4b, 0x05, - 0x43, 0x37, 0x97, 0xb8, 0x99, 0xa4, 0xbd, 0x7b, 0x8d, 0x78, 0x1d, 0xd1, 0x7e, 0x90, 0xb0, 0xfe, - 0x15, 0xa3, 0xd1, 0xd4, 0x9f, 0xd0, 0x59, 0xb0, 0x64, 0xc8, 0xb5, 0xb0, 0xfd, 0x5c, 0xac, 0x12, - 0x5a, 0x74, 0x48, 0x69, 0x44, 0x43, 0x91, 0x27, 0xbb, 0xbf, 0x57, 0xe0, 0xfd, 0x61, 0xb9, 0xe9, - 0xa9, 0xea, 0x49, 0xbe, 0x81, 0x5a, 0x4e, 0xb6, 0x8c, 0x3d, 0xa3, 0xb7, 0x3d, 0xf8, 0xc8, 0xd5, - 0x03, 0xc8, 0x6a, 0x79, 0x73, 0xf7, 0x02, 0xf9, 0x4d, 0x84, 0xc1, 0xf4, 0x2c, 0x63, 0xbd, 0x42, - 0x45, 0x06, 0x50, 0xe5, 0x8b, 0x88, 0xa6, 0x2d, 0x73, 0xaf, 0xd2, 0xdb, 0x1e, 0x7c, 0xe0, 0xde, - 0x3f, 0xbf, 0xeb, 0x2d, 0x22, 0xea, 0x69, 0x94, 0x7c, 0x07, 0x76, 0x10, 0xca, 0x29, 0x5a, 0x95, - 0x3d, 0xa3, 0xb7, 0x33, 0x18, 0x3c, 0x24, 0xba, 0x67, 0x64, 0x77, 0xa8, 0x94, 0x5e, 0x56, 0x81, - 0xfc, 0x08, 0xb5, 0x84, 0xe3, 0x92, 0x4d, 0x29, 0x6f, 0x59, 0xea, 0x06, 0x5f, 0xfe, 0x9f, 0x6a, - 0xfb, 0xbf, 0x08, 0x1a, 0xa7, 0x32, 0xce, 0x8a, 0xbc, 0x7b, 0xe2, 0x15, 0x05, 0xdb, 0x9f, 0xc0, - 0xb3, 0x3b, 0x00, 0x21, 0x60, 0xc5, 0xc1, 0x9c, 0x2a, 0xbf, 0x1c, 0x4f, 0xfd, 0xee, 0xbe, 0x06, - 0x5b, 0xcf, 0x45, 0x1c, 0xa8, 0x0e, 0x0f, 0x0f, 0x4f, 0x2e, 0xea, 0x4f, 0x48, 0x0d, 0xac, 0xb7, - 0xfb, 0xc7, 0x3f, 0xd4, 0x0d, 0x75, 0x78, 0xfe, 0xf6, 0x60, 0x5c, 0x37, 0x09, 0x80, 0xfd, 0xe6, - 0xfc, 0x6c, 0x7c, 0x72, 0x54, 0xaf, 0x8c, 0xde, 0x83, 0xa7, 0xfa, 0x16, 0xfe, 0x94, 0x8a, 0x80, - 0x45, 0xdd, 0x3f, 0x4c, 0xb0, 0xa4, 0x51, 0xe4, 0x73, 0xb0, 0xae, 0x38, 0xce, 0x5b, 0x86, 0x32, - 0xf5, 0xc3, 0xc7, 0x4c, 0x75, 0xbf, 0xe5, 0x38, 0xf7, 0x14, 0x4e, 0xfa, 0x60, 0x0a, 0xcc, 0x36, - 0xb1, 0xfb, 0xa8, 0x68, 0x8c, 0x9e, 0x29, 0x50, 0xf6, 0xf9, 0x79, 0x46, 0xe5, 0x1e, 0x1e, 0xed, - 0xf3, 0x06, 0xe3, 0x29, 0x53, 0xb6, 0x2b, 0xbc, 0xfd, 0x15, 0x58, 0xb2, 0x2b, 0xf9, 0x02, 0xec, - 0x14, 0x17, 0x3c, 0xa4, 0xd9, 0xc3, 0xd3, 0x79, 0xa8, 0xc0, 0x99, 0xa2, 0xbc, 0x8c, 0x6e, 0xef, - 0x83, 0x39, 0x46, 0xf2, 0x35, 0x38, 0x98, 0x50, 0xae, 0xd6, 0x91, 0x15, 0x78, 0x70, 0x82, 0x93, - 0x1c, 0xf4, 0x36, 0x9a, 0xee, 0x6f, 0x15, 0xb0, 0x75, 0x65, 0xd2, 0x01, 0x48, 0x38, 0x8b, 0x43, - 0x96, 0x04, 0x51, 0xaa, 0x6c, 0x73, 0xbc, 0xd2, 0x09, 0xf9, 0x18, 0x76, 0x62, 0x14, 0x7e, 0x89, - 0xa9, 0x2a, 0xe6, 0x69, 0x8c, 0xe2, 0x74, 0x83, 0x7d, 0x0a, 0x84, 0xd3, 0x9f, 0x16, 0x34, 0xfd, - 0x0f, 0x6a, 0x2a, 0xf4, 0x59, 0x96, 0x29, 0xe1, 0xaf, 0xa1, 0x29, 0xab, 0xde, 0x23, 0xb1, 0x95, - 0xa4, 0x11, 0xa3, 0xf0, 0xee, 0xa8, 0x3a, 0x00, 0xf2, 0xa1, 0x49, 0x93, 0x20, 0xa4, 0xa9, 0xb2, - 0xde, 0xf1, 0x4a, 0x27, 0xf9, 0xac, 0x25, 0x66, 0xab, 0x98, 0xf5, 0x78, 0x83, 0x3d, 0x07, 0x87, - 0x25, 0xfe, 0x24, 0xc2, 0xf0, 0x26, 0x6d, 0x59, 0x8a, 0xa8, 0xb1, 0x64, 0xa4, 0x62, 0xd2, 0x05, - 0x49, 0xfb, 0x1b, 0xa0, 0xa6, 0x80, 0xed, 0x18, 0xc5, 0x41, 0xce, 0xf4, 0xa0, 0xce, 0xe9, 0x1c, - 0x05, 0x2d, 0x61, 0x8e, 0xc2, 0x76, 0xf4, 0x79, 0x41, 0xf6, 0xa1, 0xa1, 0xef, 0x79, 0x8b, 0x06, - 0x6d, 0x8c, 0xba, 0x65, 0x59, 0xd0, 0xfd, 0xdb, 0x00, 0xa7, 0x58, 0x19, 0x69, 0x40, 0x75, 0x86, - 0xa9, 0xc8, 0xf7, 0xa2, 0x03, 0x39, 0xbf, 0x2c, 0xaa, 0x33, 0x7a, 0x1b, 0xb5, 0x18, 0xc5, 0x3b, - 0x95, 0x6c, 0x40, 0x35, 0x41, 0x2e, 0x72, 0xef, 0x75, 0x90, 0x4b, 0x74, 0xc6, 0x2e, 0x24, 0xa7, - 0x2a, 0xd9, 0x82, 0xad, 0x39, 0x15, 0x33, 0x9c, 0xe6, 0x9e, 0xe6, 0x21, 0xd9, 0x05, 0x79, 0x6f, - 0x3f, 0xcf, 0x6e, 0x65, 0x8e, 0xa3, 0x38, 0xca, 0x00, 0xd9, 0x2d, 0x10, 0xb3, 0xdc, 0x46, 0x1d, - 0x14, 0xdd, 0x54, 0xa6, 0xb6, 0xe9, 0x26, 0xe3, 0xee, 0x25, 0x38, 0xc5, 0x5b, 0x41, 0x9a, 0x50, - 0xb9, 0xa1, 0x2b, 0xfd, 0x45, 0x18, 0x59, 0xeb, 0xa1, 0x61, 0x7a, 0xf2, 0x80, 0x34, 0xc1, 0x5e, - 0x06, 0xd1, 0x82, 0xe6, 0xd7, 0xc8, 0x22, 0xf2, 0x02, 0x64, 0x77, 0x3f, 0xcb, 0xe9, 0x69, 0x65, - 0xaf, 0xef, 0xd5, 0xc1, 0xe8, 0xe5, 0x9f, 0xeb, 0x8e, 0xf1, 0xd7, 0xba, 0x63, 0xfc, 0xb3, 0xee, - 0x18, 0x97, 0x2f, 0xf4, 0x2b, 0xc1, 0x50, 0x7d, 0xfb, 0x6f, 0xff, 0x97, 0x4c, 0x6c, 0xf5, 0x85, - 0xff, 0xec, 0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xe2, 0xda, 0xc0, 0xc7, 0x66, 0x06, 0x00, 0x00, + // 788 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x95, 0xdd, 0x8e, 0xdb, 0x44, + 0x14, 0xc7, 0x6b, 0xc7, 0xf1, 0xc6, 0x27, 0xec, 0x92, 0x0e, 0x51, 0x64, 0xa5, 0x34, 0xbb, 0x04, + 0x10, 0x91, 0x2a, 0x1c, 0x35, 0x14, 0xee, 0xf8, 0x48, 0xba, 0x8b, 0x5a, 0xd4, 0x76, 0x57, 0xde, + 0x94, 0x8a, 0x72, 0x61, 0x39, 0xce, 0xb4, 0x19, 0xad, 0xe3, 0x63, 0xc6, 0xe3, 0x40, 0x78, 0x1e, + 0x2e, 0x79, 0x04, 0x1e, 0x80, 0x4b, 0xde, 0x00, 0x94, 0x27, 0x41, 0x33, 0x63, 0x3b, 0x69, 0xf7, + 0x43, 0xea, 0x5d, 0xce, 0x39, 0xbf, 0xff, 0xf9, 0xb4, 0x63, 0xb8, 0x97, 0xd1, 0x28, 0xe7, 0x4c, + 0xac, 0x87, 0xab, 0xfb, 0x33, 0x2a, 0xc2, 0xfb, 0xc3, 0x30, 0x17, 0x0b, 0xe4, 0xec, 0xf7, 0x50, + 0x30, 0x4c, 0x82, 0x14, 0x63, 0x16, 0xad, 0xbd, 0x94, 0xa3, 0x40, 0xd2, 0x61, 0x99, 0x60, 0xe8, + 0x95, 0x12, 0xaf, 0x90, 0x74, 0x0f, 0x5f, 0x23, 0xbe, 0x8e, 0xe9, 0x30, 0x4c, 0xd9, 0xf0, 0x15, + 0xa3, 0xf1, 0x3c, 0x98, 0xd1, 0x45, 0xb8, 0x62, 0xc8, 0xb5, 0xb0, 0x7b, 0x47, 0xac, 0x53, 0x5a, + 0x55, 0xc8, 0x68, 0x4c, 0x23, 0x51, 0x06, 0xfb, 0x7f, 0xd4, 0xe0, 0x83, 0xf1, 0x6e, 0xd1, 0x33, + 0x55, 0x93, 0x7c, 0x07, 0x8d, 0x92, 0x74, 0x8d, 0x23, 0x63, 0xd0, 0x1c, 0x7d, 0xe2, 0xe9, 0x06, + 0x64, 0xb6, 0xb2, 0xb8, 0xf7, 0x02, 0xf9, 0x45, 0x8c, 0xe1, 0xfc, 0xbc, 0x60, 0xfd, 0x4a, 0x45, + 0x46, 0x50, 0xe7, 0x79, 0x4c, 0x33, 0xd7, 0x3c, 0xaa, 0x0d, 0x9a, 0xa3, 0x0f, 0xbd, 0xab, 0xfb, + 0xf7, 0xfc, 0x3c, 0xa6, 0xbe, 0x46, 0xc9, 0x0f, 0x60, 0x87, 0x91, 0xec, 0xc2, 0xad, 0x1d, 0x19, + 0x83, 0x83, 0xd1, 0xe8, 0x3a, 0xd1, 0x15, 0x2d, 0x7b, 0x63, 0xa5, 0xf4, 0x8b, 0x0c, 0xe4, 0x67, + 0x68, 0xa4, 0x1c, 0x57, 0x6c, 0x4e, 0xb9, 0x6b, 0xa9, 0x09, 0xbe, 0x7e, 0x97, 0x6c, 0x27, 0xbf, + 0x09, 0x9a, 0x64, 0xd2, 0x2e, 0x92, 0x3c, 0xba, 0xe5, 0x57, 0x09, 0xbb, 0x9f, 0xc1, 0xed, 0x4b, + 0x00, 0x21, 0x60, 0x25, 0xe1, 0x92, 0xaa, 0x7d, 0x39, 0xbe, 0xfa, 0xdd, 0x7f, 0x00, 0xb6, 0xee, + 0x8b, 0x38, 0x50, 0x1f, 0x3f, 0x79, 0x72, 0xfa, 0xa2, 0x75, 0x8b, 0x34, 0xc0, 0x3a, 0x3e, 0x79, + 0xf6, 0x53, 0xcb, 0x50, 0xce, 0xe7, 0xc7, 0x8f, 0xa7, 0x2d, 0x93, 0x00, 0xd8, 0x0f, 0x9f, 0x9f, + 0x4f, 0x4f, 0x9f, 0xb6, 0x6a, 0x93, 0xf7, 0x61, 0x5f, 0x4f, 0x11, 0xcc, 0xa9, 0x08, 0x59, 0xdc, + 0xff, 0xd3, 0x04, 0x4b, 0x2e, 0x8a, 0x7c, 0x09, 0xd6, 0x2b, 0x8e, 0x4b, 0xd7, 0x50, 0x4b, 0xfd, + 0xe8, 0xa6, 0xa5, 0x7a, 0xdf, 0x73, 0x5c, 0xfa, 0x0a, 0x27, 0x43, 0x30, 0x05, 0x16, 0x97, 0x38, + 0xbc, 0x51, 0x34, 0x45, 0xdf, 0x14, 0x28, 0xeb, 0xfc, 0xba, 0xa0, 0xf2, 0x0e, 0x37, 0xd6, 0x79, + 0x88, 0xc9, 0x9c, 0xa9, 0xb5, 0x2b, 0xbc, 0xfb, 0x0d, 0x58, 0xb2, 0x2a, 0xf9, 0x0a, 0xec, 0x0c, + 0x73, 0x1e, 0xd1, 0xe2, 0xe1, 0xe9, 0x5d, 0x97, 0xe0, 0x5c, 0x51, 0x7e, 0x41, 0x77, 0x4f, 0xc0, + 0x9c, 0x22, 0xf9, 0x16, 0x1c, 0x4c, 0x29, 0x57, 0xe7, 0x28, 0x12, 0x5c, 0xdb, 0xc1, 0x69, 0x09, + 0xfa, 0x5b, 0x4d, 0xff, 0xaf, 0x1a, 0xd8, 0x3a, 0x33, 0xe9, 0x01, 0xa4, 0x9c, 0x25, 0x11, 0x4b, + 0xc3, 0x38, 0x53, 0x6b, 0x73, 0xfc, 0x1d, 0x0f, 0xf9, 0x14, 0x0e, 0x12, 0x14, 0xc1, 0x0e, 0x53, + 0x57, 0xcc, 0x7e, 0x82, 0xe2, 0x6c, 0x8b, 0x7d, 0x0e, 0x84, 0xd3, 0x5f, 0x72, 0x9a, 0xbd, 0x81, + 0x9a, 0x0a, 0xbd, 0x5d, 0x44, 0x76, 0xf0, 0x07, 0xd0, 0x91, 0x59, 0xaf, 0x90, 0xd8, 0x4a, 0xd2, + 0x4e, 0x50, 0xf8, 0x97, 0x54, 0x3d, 0x00, 0xf9, 0xd0, 0x64, 0x69, 0x18, 0xd1, 0x4c, 0xad, 0xde, + 0xf1, 0x77, 0x3c, 0x65, 0xaf, 0x3b, 0xcc, 0x5e, 0xd5, 0xeb, 0xb3, 0x2d, 0x76, 0x07, 0x1c, 0x96, + 0x06, 0xb3, 0x18, 0xa3, 0x8b, 0xcc, 0xb5, 0x14, 0xd1, 0x60, 0xe9, 0x44, 0xd9, 0xa4, 0x0f, 0x92, + 0x0e, 0xb6, 0x40, 0x43, 0x01, 0xcd, 0x04, 0xc5, 0xe3, 0x92, 0x19, 0x40, 0x8b, 0xd3, 0x25, 0x0a, + 0xba, 0x83, 0x39, 0x0a, 0x3b, 0xd0, 0xfe, 0x8a, 0x1c, 0x42, 0x5b, 0xcf, 0xf9, 0x16, 0x0d, 0x7a, + 0x31, 0x6a, 0xca, 0x37, 0x04, 0x1f, 0xc3, 0xbe, 0xe0, 0x79, 0x26, 0x82, 0x39, 0x2e, 0x43, 0x96, + 0x64, 0x6e, 0x53, 0x91, 0xef, 0x29, 0xe7, 0xb1, 0xf6, 0xf5, 0xff, 0x35, 0xc0, 0xa9, 0xee, 0x4a, + 0xda, 0x50, 0x5f, 0x60, 0x26, 0xca, 0xe3, 0x69, 0x43, 0x0e, 0x29, 0x2b, 0xeb, 0x88, 0x3e, 0x59, + 0x23, 0x41, 0xf1, 0x48, 0x05, 0xdb, 0x50, 0x4f, 0x91, 0x8b, 0xf2, 0x40, 0xda, 0x28, 0x25, 0x3a, + 0x62, 0x57, 0x92, 0x33, 0x15, 0x74, 0x61, 0x6f, 0x49, 0xc5, 0x02, 0xe7, 0xe5, 0xe2, 0x4b, 0x93, + 0x1c, 0x82, 0x5c, 0x4e, 0x50, 0x46, 0xf7, 0x8a, 0xb3, 0xa0, 0x78, 0x5a, 0x00, 0xb2, 0x5a, 0x28, + 0x16, 0xe5, 0xae, 0xb5, 0x51, 0x55, 0x53, 0x91, 0xc6, 0xb6, 0x9a, 0xb4, 0xfb, 0x2f, 0xc1, 0xa9, + 0x5e, 0x1d, 0xd2, 0x81, 0xda, 0x05, 0x5d, 0xeb, 0xbf, 0x8d, 0x89, 0xb5, 0x19, 0x1b, 0xa6, 0x2f, + 0x1d, 0xa4, 0x03, 0xf6, 0x2a, 0x8c, 0x73, 0x5a, 0x8e, 0x51, 0x58, 0xe4, 0x2e, 0xc8, 0xea, 0x41, + 0x11, 0xd3, 0xdd, 0xca, 0x5a, 0x3f, 0x2a, 0xc7, 0xe4, 0xde, 0xdf, 0x9b, 0x9e, 0xf1, 0xcf, 0xa6, + 0x67, 0xfc, 0xb7, 0xe9, 0x19, 0x2f, 0xef, 0xea, 0xf7, 0x86, 0xa1, 0xfa, 0x40, 0xbc, 0xfd, 0xc1, + 0x99, 0xd9, 0xea, 0x33, 0xf0, 0xc5, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff, 0x5d, 0x1f, 0xa5, 0x66, + 0x8b, 0x06, 0x00, 0x00, } func (m *AuthorizationPolicy) Marshal() (dAtA []byte, err error) { @@ -1358,6 +1370,15 @@ func (m *Source) MarshalToSizedBuffer(dAtA []byte) (int, error) { i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if len(m.TrustDomains) > 0 { + for iNdEx := len(m.TrustDomains) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.TrustDomains[iNdEx]) + copy(dAtA[i:], m.TrustDomains[iNdEx]) + i = encodeVarintAuthorizationPolicy(dAtA, i, uint64(len(m.TrustDomains[iNdEx]))) + i-- + dAtA[i] = 0x5a + } + } if len(m.NotRemoteIpBlocks) > 0 { for iNdEx := len(m.NotRemoteIpBlocks) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.NotRemoteIpBlocks[iNdEx]) @@ -1797,6 +1818,12 @@ func (m *Source) Size() (n int) { n += 1 + l + sovAuthorizationPolicy(uint64(l)) } } + if len(m.TrustDomains) > 0 { + for _, s := range m.TrustDomains { + l = len(s) + n += 1 + l + sovAuthorizationPolicy(uint64(l)) + } + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -2831,6 +2858,38 @@ func (m *Source) Unmarshal(dAtA []byte) error { } m.NotRemoteIpBlocks = append(m.NotRemoteIpBlocks, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 11: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field TrustDomains", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowAuthorizationPolicy + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthAuthorizationPolicy + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthAuthorizationPolicy + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.TrustDomains = append(m.TrustDomains, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipAuthorizationPolicy(dAtA[iNdEx:]) diff --git a/security/v1beta1/authorization_policy.pb.html b/security/v1beta1/authorization_policy.pb.html index d1561ad4037..54545c20ac2 100644 --- a/security/v1beta1/authorization_policy.pb.html +++ b/security/v1beta1/authorization_policy.pb.html @@ -477,6 +477,18 @@

Source

Optional. A list of negative match of remote IP blocks.

+ + +No + + + +trustDomains +string[] + +

Optional. A list of trust domains of client certificates. +This field requires mTLS enabled.

+ No diff --git a/security/v1beta1/authorization_policy.proto b/security/v1beta1/authorization_policy.proto index 3d1237c695e..42d14526a51 100644 --- a/security/v1beta1/authorization_policy.proto +++ b/security/v1beta1/authorization_policy.proto @@ -410,6 +410,10 @@ message Source { // Optional. A list of negative match of remote IP blocks. repeated string not_remote_ip_blocks = 10; + + // Optional. A list of trust domains of client certificates. + // This field requires mTLS enabled. + repeated string trust_domains = 11; } // Operation specifies the operations of a request. Fields in the operation are From c5d59763924b6ae399cdbd70d2ab6ff00a5b230c Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 30 Mar 2021 09:58:14 +0900 Subject: [PATCH 2/6] have multiple trust_domains in CertificateData, and fixed comment Signed-off-by: Takeshi Yoneda --- mesh/v1alpha1/config.pb.go | 233 +++++++++--------- mesh/v1alpha1/config.proto | 29 +-- mesh/v1alpha1/istio.mesh.v1alpha1.gen.json | 15 +- mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 41 +-- python/istio_api/mesh/v1alpha1/config_pb2.py | 98 ++++---- .../v1beta1/authorization_policy.gen.json | 2 +- security/v1beta1/authorization_policy.pb.go | 2 +- security/v1beta1/authorization_policy.pb.html | 2 +- security/v1beta1/authorization_policy.proto | 2 +- 9 files changed, 188 insertions(+), 236 deletions(-) diff --git a/mesh/v1alpha1/config.pb.go b/mesh/v1alpha1/config.pb.go index 1f223c4076b..631dd671e7a 100644 --- a/mesh/v1alpha1/config.pb.go +++ b/mesh/v1alpha1/config.pb.go @@ -898,12 +898,10 @@ type MeshConfig_CertificateData struct { // *MeshConfig_CertificateData_Pem // *MeshConfig_CertificateData_SpiffeBundleUrl CertificateData isMeshConfig_CertificateData_CertificateData `protobuf_oneof:"certificate_data"` - // Optional. Specify the trust domain to which this certificate data belongs. - // If `enabled_spiffe_multiple_independent_trust_domain_authentication` enabled, this must be set for - // distinguishing different trust domains from each other. Certificates in a same trust domain will be merged - // and used together to validate the trust domain. - // If `enabled_spiffe_multiple_independent_trust_domain_authentication` disabled, it is not necessary to set. - TrustDomain string `protobuf:"bytes,3,opt,name=trust_domain,json=trustDomain,proto3" json:"trustDomain,omitempty"` + // Optional. Specify the list of trust domains to which this certificate data belongs. + // If set, they are used for this root CA, otherwise, this root CA ise used for default trust domain + // and its aliases. + TrustDomains []string `protobuf:"bytes,3,rep,name=trust_domains,json=trustDomains,proto3" json:"trustDomains,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -979,11 +977,11 @@ func (m *MeshConfig_CertificateData) GetSpiffeBundleUrl() string { return "" } -func (m *MeshConfig_CertificateData) GetTrustDomain() string { +func (m *MeshConfig_CertificateData) GetTrustDomains() []string { if m != nil { - return m.TrustDomain + return m.TrustDomains } - return "" + return nil } // XXX_OneofWrappers is for the internal use of the proto package. @@ -2325,12 +2323,12 @@ func init() { func init() { proto.RegisterFile("mesh/v1alpha1/config.proto", fileDescriptor_b5c7ece76d5d5022) } var fileDescriptor_b5c7ece76d5d5022 = []byte{ - // 2923 bytes of a gzipped FileDescriptorProto + // 2932 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x59, 0x4f, 0x73, 0x1b, 0x37, 0x96, 0x37, 0x29, 0xda, 0x6a, 0x81, 0xa4, 0xd4, 0x82, 0xfe, 0xb8, 0x4d, 0xc7, 0xb2, 0xac, 0xc4, 0xb6, 0xe2, 0xf5, 0x52, 0xb1, 0x9c, 0x38, 0x4e, 0xb2, 0xb5, 0xb5, 0x14, 0x49, 0x5b, 0x62, 0x68, 0x51, 0xdb, 0xa2, 0x9c, 0x7f, 0x95, 0x42, 0x41, 0xdd, 0x20, 0xd9, 0x51, 0xb3, 0xd1, 0x0b, 0xa0, - 0x65, 0xc9, 0x55, 0xfb, 0x05, 0x76, 0x4f, 0x7b, 0xde, 0xcb, 0x1c, 0xe6, 0x3a, 0xf3, 0x39, 0xa6, + 0x65, 0xc9, 0x55, 0xfb, 0x09, 0x76, 0x2f, 0x7b, 0xde, 0xcb, 0x9c, 0xe6, 0x36, 0xf3, 0x39, 0xa6, 0x6a, 0x2e, 0x73, 0xc8, 0x71, 0x0e, 0x53, 0xf9, 0x12, 0x73, 0x9d, 0xc2, 0x9f, 0x26, 0x5b, 0x12, 0x63, 0x45, 0x53, 0x99, 0xb9, 0x11, 0x0f, 0xef, 0xf7, 0x7b, 0xc0, 0x6b, 0xe0, 0x3d, 0xbc, 0x47, 0x50, 0x19, 0x12, 0x3e, 0xd8, 0x38, 0x7e, 0x82, 0xc3, 0x78, 0x80, 0x9f, 0x6c, 0x78, 0x34, 0xea, @@ -2415,100 +2413,101 @@ var fileDescriptor_b5c7ece76d5d5022 = []byte{ 0x7c, 0xb9, 0xb3, 0xdf, 0x75, 0xbf, 0x41, 0x9d, 0xdd, 0xf6, 0x37, 0xf6, 0x35, 0x58, 0x06, 0x33, 0xb5, 0x76, 0xbb, 0xf3, 0x15, 0xaa, 0xed, 0x7e, 0x63, 0xe7, 0xd6, 0x0a, 0x56, 0xde, 0xce, 0x3f, 0x5a, 0x7c, 0xbd, 0xe3, 0x76, 0x0f, 0x6a, 0x6d, 0xb4, 0xdf, 0x74, 0x5f, 0xef, 0xd4, 0x9b, 0x4a, - 0xb9, 0xf2, 0x3f, 0x39, 0x30, 0x77, 0x2e, 0xa1, 0x40, 0x08, 0xa6, 0x62, 0x32, 0x54, 0x0b, 0x9d, + 0xb9, 0xf2, 0xbf, 0x39, 0x30, 0x77, 0x2e, 0xa1, 0x40, 0x08, 0xa6, 0x62, 0x32, 0x54, 0x0b, 0x9d, 0xd9, 0xbe, 0xe6, 0xca, 0x01, 0x7c, 0x0c, 0xe6, 0x79, 0x1c, 0xf4, 0x7a, 0x04, 0x1d, 0x26, 0x91, - 0x1f, 0x12, 0x94, 0xb0, 0xd0, 0xc9, 0x1b, 0x8d, 0x39, 0x3d, 0xb5, 0xa5, 0x66, 0x0e, 0x58, 0x78, - 0x21, 0x63, 0x4e, 0x5d, 0xc8, 0x98, 0x5b, 0x10, 0xd8, 0xd9, 0xb3, 0xed, 0x63, 0x81, 0x2b, 0xff, - 0x0d, 0x4a, 0xd9, 0x4b, 0x0c, 0x3f, 0x00, 0xb3, 0x32, 0xba, 0xa2, 0x30, 0x18, 0x06, 0x42, 0x59, - 0xcc, 0xe9, 0xa7, 0xb0, 0x94, 0xb6, 0xa5, 0x50, 0x1a, 0x7b, 0x09, 0x60, 0x46, 0x2b, 0x7d, 0xf1, - 0xe7, 0x2f, 0x8b, 0xc8, 0xf6, 0x88, 0xc4, 0xbc, 0xf4, 0x2b, 0xbf, 0xcf, 0x81, 0xb9, 0x73, 0xd7, - 0x1d, 0x76, 0x81, 0x35, 0x8a, 0x18, 0x39, 0x45, 0xf9, 0xfc, 0x8a, 0x11, 0xa3, 0x3a, 0x0a, 0x1d, - 0x23, 0x26, 0xb8, 0x08, 0xae, 0x0f, 0x28, 0x17, 0xdc, 0xc9, 0xab, 0x04, 0xa8, 0x07, 0x95, 0x0d, - 0x60, 0x8d, 0xec, 0xbe, 0x0f, 0xca, 0x69, 0xf8, 0x55, 0x19, 0x48, 0x19, 0xb7, 0xdc, 0x92, 0x11, - 0xaa, 0x94, 0x55, 0xf9, 0x31, 0x07, 0xf2, 0xf5, 0x1a, 0x74, 0xc0, 0x34, 0xf6, 0x7d, 0xf9, 0xb6, - 0x36, 0xfe, 0x49, 0x87, 0xb0, 0x03, 0x4a, 0x22, 0xe4, 0xe3, 0x98, 0x97, 0x3f, 0x13, 0x49, 0x27, - 0x96, 0x2e, 0x2a, 0x46, 0x74, 0xdb, 0xfb, 0xa3, 0x55, 0x17, 0x45, 0xc8, 0x47, 0xcb, 0xda, 0x02, - 0x73, 0x8c, 0xfc, 0x57, 0x42, 0xf8, 0xd8, 0xd1, 0x53, 0x97, 0xa6, 0x3e, 0x83, 0x48, 0x0b, 0xaa, - 0xbb, 0xa0, 0xa8, 0xec, 0xfb, 0x88, 0x07, 0x3e, 0x51, 0xb5, 0xa3, 0xe5, 0x02, 0x2d, 0xda, 0x0f, - 0x7c, 0x52, 0xf9, 0xcd, 0x02, 0x98, 0xbf, 0x10, 0x32, 0x20, 0x04, 0x05, 0x95, 0x83, 0xf4, 0x16, - 0xd5, 0x6f, 0xf8, 0xbf, 0x39, 0xb0, 0xa8, 0xdf, 0xc5, 0xe4, 0x44, 0xc8, 0x37, 0xde, 0xe0, 0xad, - 0xaa, 0x35, 0xcd, 0x46, 0xbf, 0xbe, 0x72, 0x60, 0xaa, 0xaa, 0x47, 0xb4, 0x14, 0xb3, 0x08, 0x87, - 0xb5, 0x44, 0x0c, 0x28, 0x0b, 0xde, 0xaa, 0x7d, 0xa8, 0x6a, 0xd5, 0xa8, 0x6d, 0x5f, 0x73, 0xe7, - 0x89, 0xd1, 0x94, 0x4a, 0x6f, 0xe5, 0xe4, 0xc4, 0xd5, 0xf4, 0x59, 0xec, 0x19, 0x17, 0xfd, 0xaa, - 0xab, 0x79, 0xc9, 0x62, 0xef, 0x67, 0x57, 0x23, 0x27, 0x21, 0x06, 0x37, 0xde, 0x06, 0xf1, 0x51, - 0x10, 0x29, 0x0f, 0x17, 0x37, 0x5f, 0x5e, 0xdd, 0xfc, 0xb7, 0x0a, 0x6f, 0x0a, 0xb1, 0x8c, 0x35, - 0x43, 0x0c, 0x7f, 0x00, 0x33, 0x61, 0xd0, 0x1f, 0x08, 0x2e, 0x48, 0xac, 0x2a, 0xfb, 0x71, 0x59, - 0x7c, 0x05, 0x2b, 0xed, 0x94, 0xe2, 0xa2, 0xa1, 0x31, 0x3d, 0xf4, 0xc1, 0xb4, 0x8c, 0x11, 0x3e, - 0xed, 0x9b, 0xde, 0xc0, 0xf6, 0xd5, 0x2d, 0x35, 0x34, 0xc1, 0x45, 0x3b, 0x29, 0x35, 0x0c, 0x40, - 0x91, 0x0b, 0xec, 0x1d, 0xf9, 0x2c, 0x38, 0x26, 0x4c, 0x55, 0xde, 0xc5, 0xcd, 0xe6, 0xd5, 0x2d, - 0xed, 0x8f, 0x49, 0x32, 0x66, 0xb2, 0xdc, 0x90, 0x01, 0x40, 0x63, 0x12, 0x79, 0x24, 0xe2, 0x09, - 0x57, 0xc5, 0x7b, 0x71, 0x73, 0xef, 0xea, 0x96, 0x3a, 0x31, 0x89, 0xea, 0x8a, 0xa3, 0xd6, 0x97, - 0x37, 0xf7, 0xc2, 0xde, 0x32, 0x56, 0x2a, 0x7f, 0xcd, 0x83, 0x07, 0xbf, 0xec, 0x84, 0xcb, 0xa0, - 0x92, 0xd6, 0xa9, 0x26, 0xa8, 0x98, 0xa1, 0xbc, 0x88, 0xaa, 0x95, 0x23, 0xef, 0x58, 0xd9, 0x55, - 0xbf, 0xe5, 0x9d, 0x8e, 0xb1, 0x18, 0xa0, 0x98, 0x91, 0x5e, 0x70, 0x62, 0xe2, 0x3d, 0x90, 0xa2, - 0x3d, 0x25, 0x81, 0xb7, 0xc1, 0x4c, 0x0f, 0x07, 0x21, 0x92, 0x8b, 0x31, 0x57, 0xde, 0x92, 0x02, - 0xb9, 0x7c, 0x59, 0xe2, 0xcb, 0x37, 0x66, 0xc2, 0x11, 0x8d, 0x10, 0x61, 0x8c, 0x32, 0x75, 0x9a, - 0x66, 0xdc, 0xb2, 0x16, 0x77, 0xa2, 0xa6, 0x14, 0xc2, 0x4f, 0x81, 0x13, 0x44, 0x5e, 0x98, 0xf8, - 0x04, 0x0d, 0x08, 0x96, 0x59, 0x1d, 0x05, 0x11, 0xf2, 0x06, 0xc4, 0x3b, 0x72, 0x6e, 0xa8, 0x48, - 0xba, 0x64, 0xe6, 0xb7, 0xf5, 0xf4, 0x4e, 0x54, 0x97, 0x93, 0xf0, 0xdf, 0xc1, 0x7b, 0x29, 0x40, - 0x50, 0x94, 0xc4, 0x5c, 0x30, 0x82, 0x87, 0xd2, 0x1a, 0x0e, 0x43, 0xfa, 0xc6, 0x99, 0x56, 0x60, - 0xc7, 0xe8, 0x74, 0xe9, 0x81, 0xd1, 0xe8, 0x44, 0x35, 0x39, 0x0f, 0xff, 0x03, 0xdc, 0xc9, 0xe0, - 0x7d, 0xfa, 0x26, 0x1a, 0x33, 0xf8, 0x24, 0x3a, 0x75, 0x2c, 0x45, 0x70, 0x6b, 0x44, 0xd0, 0x18, - 0xa9, 0x74, 0xa2, 0x06, 0x89, 0x4e, 0x2b, 0xff, 0x9f, 0x7b, 0x97, 0xe7, 0xb3, 0xb7, 0xf9, 0x8a, - 0x9e, 0x3f, 0xe3, 0xd8, 0xa9, 0xcb, 0x1d, 0x5b, 0x98, 0xe0, 0xd8, 0xca, 0x11, 0x58, 0x9a, 0x78, - 0xd7, 0xaf, 0xb8, 0x96, 0x0f, 0xc0, 0xec, 0x10, 0x9f, 0x20, 0x81, 0xfb, 0x28, 0x24, 0x51, 0x5f, - 0x0c, 0xd4, 0x82, 0xca, 0x6e, 0x69, 0x88, 0x4f, 0xba, 0xb8, 0xdf, 0x56, 0xb2, 0xca, 0xff, 0xe5, - 0x80, 0xf3, 0x73, 0x77, 0xfe, 0x8a, 0x06, 0xef, 0x81, 0x92, 0xe9, 0xab, 0x08, 0x7a, 0x44, 0x46, - 0xef, 0x0c, 0x2d, 0xeb, 0x4a, 0xd1, 0x84, 0x35, 0x15, 0x26, 0xac, 0x29, 0x04, 0xcb, 0x93, 0x83, - 0xc3, 0x3f, 0xc4, 0x03, 0x7f, 0xce, 0x83, 0x85, 0x09, 0x11, 0x42, 0x3e, 0x0b, 0x7c, 0x72, 0x98, - 0xf4, 0x4d, 0xb2, 0xd7, 0x03, 0xd8, 0x05, 0x8e, 0xe4, 0x8c, 0x92, 0xe1, 0x21, 0x61, 0x88, 0xf6, - 0x10, 0x16, 0x82, 0x05, 0x87, 0x89, 0xac, 0xb0, 0x74, 0x9e, 0xbb, 0x7d, 0x21, 0xf9, 0xee, 0x44, - 0xe2, 0xd9, 0xc7, 0xa6, 0xc4, 0x18, 0xe2, 0x93, 0x5d, 0x85, 0xed, 0xf4, 0x6a, 0x23, 0x24, 0x7c, - 0x0d, 0x6e, 0x9d, 0x63, 0x8d, 0x22, 0x2a, 0xd4, 0x69, 0xe4, 0x26, 0x61, 0xbd, 0x93, 0x76, 0x39, - 0x4b, 0x3b, 0x86, 0xca, 0xd2, 0xe5, 0x2c, 0xef, 0x90, 0x70, 0x8e, 0xfb, 0x04, 0x91, 0x63, 0x12, - 0x09, 0x6e, 0x92, 0xd1, 0x3b, 0xa9, 0x9d, 0x0c, 0xf5, 0x2b, 0x8d, 0x6e, 0x2a, 0xf0, 0x04, 0xf7, - 0x5e, 0x9f, 0xe0, 0xde, 0x1f, 0xf3, 0x60, 0xe5, 0xdd, 0x61, 0xf1, 0x8a, 0x5f, 0xf5, 0x0d, 0x98, - 0xf6, 0x68, 0x24, 0xc8, 0x89, 0x7c, 0xed, 0x4c, 0xad, 0xcf, 0x6e, 0x7e, 0xff, 0x6b, 0xc7, 0xe9, - 0xaa, 0x1c, 0x93, 0xba, 0x36, 0xe2, 0xa6, 0xd6, 0x7e, 0xd9, 0xe1, 0x5d, 0x23, 0xa0, 0x94, 0x85, - 0xc3, 0x39, 0x50, 0x3c, 0xd8, 0xdd, 0xdf, 0x6b, 0xd6, 0x77, 0x5e, 0xec, 0x34, 0x1b, 0xf6, 0x35, - 0xb8, 0x04, 0xe6, 0xbf, 0x7a, 0x5a, 0x47, 0x5d, 0xb7, 0x56, 0x6f, 0xa2, 0x7a, 0x67, 0xb7, 0xdb, - 0xfc, 0xba, 0x6b, 0xe7, 0x60, 0x09, 0x58, 0x2f, 0xdd, 0xbd, 0x3a, 0xda, 0xda, 0xd9, 0xb5, 0xf3, - 0xf0, 0x26, 0x58, 0xa8, 0xb7, 0x3b, 0x07, 0x8d, 0x73, 0x6a, 0x53, 0xf0, 0x06, 0xc8, 0x6f, 0x3d, - 0xb5, 0x0b, 0x5b, 0x00, 0x58, 0x69, 0x5d, 0x56, 0x79, 0x0c, 0xec, 0xf3, 0x25, 0x97, 0xf4, 0x69, - 0xda, 0xc8, 0x35, 0x3e, 0x35, 0xc3, 0xb5, 0x16, 0x58, 0x9a, 0xd8, 0x44, 0xbe, 0xb8, 0xd2, 0x69, - 0x30, 0xd5, 0x79, 0xf1, 0xc2, 0xce, 0xc1, 0x22, 0x98, 0x6e, 0x34, 0x5f, 0xd4, 0x0e, 0xda, 0x5d, - 0x3b, 0x0f, 0x01, 0xb8, 0xb1, 0xdf, 0x75, 0x77, 0xea, 0x5d, 0x7b, 0x6a, 0xed, 0x01, 0x00, 0x32, - 0x74, 0x9a, 0xa2, 0xca, 0x02, 0x85, 0xdd, 0xce, 0x6e, 0xd3, 0xbe, 0x06, 0x67, 0x01, 0x78, 0x75, - 0xa0, 0xea, 0x9b, 0x6e, 0x7b, 0xdf, 0xce, 0xad, 0x3d, 0x04, 0xf3, 0x17, 0xfa, 0xb4, 0x52, 0x5d, - 0x6d, 0xea, 0x9a, 0xfc, 0xd5, 0xda, 0xef, 0xec, 0xda, 0xb9, 0xb5, 0x4d, 0x30, 0x77, 0xae, 0xa1, - 0x02, 0x21, 0x98, 0x6d, 0x74, 0xd0, 0x6e, 0xa7, 0x8b, 0x0e, 0xf6, 0x5e, 0xba, 0xb5, 0x86, 0xe4, - 0x2f, 0x82, 0xe9, 0x74, 0x90, 0x6b, 0x15, 0xac, 0x9c, 0x9d, 0x6f, 0xc9, 0xba, 0x6a, 0xaa, 0x55, - 0xb0, 0xa6, 0xec, 0x42, 0xab, 0x60, 0x7d, 0x64, 0x3f, 0x69, 0x15, 0xac, 0x5b, 0x76, 0xa5, 0x55, - 0xb0, 0x56, 0xec, 0xbb, 0xad, 0x82, 0x05, 0xec, 0x62, 0xab, 0x60, 0x15, 0xed, 0x52, 0xab, 0x60, - 0xcd, 0xd9, 0x76, 0xab, 0x60, 0xd9, 0xf6, 0x7c, 0xab, 0x60, 0x41, 0x7b, 0xa1, 0x55, 0xb0, 0x16, - 0xec, 0xc5, 0x56, 0xc1, 0x5a, 0xb4, 0x97, 0x5a, 0x05, 0x6b, 0xc9, 0x5e, 0x6e, 0x15, 0xac, 0x9b, - 0xb6, 0xd3, 0x2a, 0x58, 0x77, 0xec, 0x95, 0x56, 0xc1, 0xfa, 0xc4, 0x7e, 0xd6, 0x2a, 0x58, 0xf7, - 0xed, 0x07, 0xad, 0x82, 0xf5, 0xc0, 0x7e, 0xd8, 0x2a, 0x58, 0x0f, 0xed, 0x75, 0x17, 0x0e, 0x83, - 0x13, 0xc2, 0x74, 0xc6, 0x53, 0x9d, 0x39, 0xc2, 0xdc, 0x05, 0x2d, 0x63, 0x44, 0x35, 0xd5, 0x8c, - 0x70, 0x29, 0xed, 0x1a, 0xeb, 0xce, 0x92, 0x46, 0x70, 0x77, 0xd4, 0x4c, 0xd6, 0x18, 0xf5, 0xb7, - 0x8c, 0x06, 0x72, 0x77, 0x39, 0xab, 0x8a, 0x46, 0x39, 0xc5, 0xbd, 0x2f, 0x5f, 0xe9, 0x1e, 0x66, - 0x32, 0xf3, 0x09, 0x12, 0x92, 0x21, 0x11, 0xaa, 0x80, 0xe6, 0xaa, 0x17, 0x20, 0x8b, 0xd3, 0x28, - 0x10, 0xa7, 0x6e, 0x51, 0xbe, 0x77, 0x8d, 0x39, 0x77, 0x9e, 0xf9, 0xe3, 0x06, 0x99, 0x4f, 0x42, - 0x7c, 0xea, 0x96, 0xb5, 0x49, 0x53, 0x99, 0xb8, 0x69, 0x73, 0x5c, 0x37, 0x34, 0x54, 0x25, 0x70, - 0x66, 0xad, 0x6e, 0x89, 0xfb, 0x1c, 0x25, 0x3e, 0x47, 0xf2, 0x11, 0xe1, 0xce, 0xf3, 0x0b, 0x84, - 0xcb, 0x86, 0x41, 0xce, 0xa8, 0xe8, 0x8f, 0x86, 0x34, 0x89, 0x84, 0x0b, 0x15, 0x90, 0x13, 0x74, - 0xf4, 0x9c, 0x23, 0x8e, 0xd1, 0x0f, 0x6f, 0x84, 0x5b, 0x11, 0x84, 0x0d, 0xd3, 0x1e, 0xa4, 0xcf, - 0x70, 0x10, 0xa1, 0xf4, 0x2f, 0x38, 0x77, 0x31, 0xf5, 0x89, 0xf1, 0xe0, 0x21, 0x16, 0xde, 0xc0, - 0x75, 0xb2, 0x23, 0x24, 0x2f, 0x21, 0x89, 0x04, 0x0b, 0x08, 0x77, 0x97, 0x2e, 0xcc, 0xc8, 0x4a, - 0x68, 0xed, 0x8f, 0x39, 0x50, 0xca, 0xb6, 0xa2, 0xff, 0x99, 0x55, 0xd9, 0x1e, 0x58, 0xe4, 0xc9, - 0x21, 0xf7, 0x58, 0x70, 0x48, 0x7c, 0xc4, 0x48, 0xda, 0x36, 0xd7, 0xc1, 0xea, 0xce, 0xc4, 0x60, - 0xe5, 0x1a, 0x2d, 0x77, 0x61, 0x0c, 0x4d, 0x65, 0x7c, 0xed, 0x4b, 0x50, 0xcc, 0x74, 0x05, 0xe4, - 0xf3, 0x8e, 0x13, 0x8f, 0x11, 0xd3, 0x06, 0xd4, 0xfb, 0x01, 0x5a, 0xa4, 0x3a, 0x7f, 0xb7, 0xc1, - 0x8c, 0x1f, 0x71, 0xdd, 0xa1, 0x35, 0x45, 0xad, 0xe5, 0x47, 0x5c, 0x35, 0x67, 0x1f, 0xad, 0x02, - 0x2b, 0x65, 0x86, 0x8b, 0xc0, 0x4e, 0xfb, 0x0f, 0x69, 0xd7, 0xc2, 0xbe, 0xb6, 0xb5, 0xfe, 0x87, - 0x9f, 0x56, 0x72, 0x7f, 0xfa, 0x69, 0x25, 0xf7, 0x97, 0x9f, 0x56, 0x72, 0xdf, 0x56, 0xf4, 0x7a, - 0xf5, 0x3f, 0x95, 0x1b, 0x67, 0xfe, 0xfb, 0x3c, 0xbc, 0xa1, 0x12, 0xc6, 0xd3, 0xbf, 0x05, 0x00, - 0x00, 0xff, 0xff, 0xf3, 0x2a, 0xe4, 0x4f, 0x84, 0x1d, 0x00, 0x00, + 0x1f, 0x12, 0x94, 0xb0, 0xd0, 0xc9, 0x1b, 0x8d, 0x39, 0x3d, 0xb5, 0xa5, 0x66, 0x0e, 0x58, 0x28, + 0x9f, 0xb0, 0xd9, 0x74, 0xc8, 0x9d, 0x29, 0x15, 0xe8, 0x4b, 0x99, 0x3c, 0xc8, 0xb7, 0x20, 0xb0, + 0xb3, 0xa7, 0xdb, 0xc7, 0x02, 0x57, 0xfe, 0x1b, 0x94, 0xb2, 0xd7, 0x18, 0x7e, 0x00, 0x66, 0x65, + 0x7c, 0x45, 0x61, 0x30, 0x0c, 0x84, 0xb2, 0x99, 0xd3, 0x8f, 0x61, 0x29, 0x6d, 0x4b, 0xa1, 0x34, + 0xf7, 0x12, 0xc0, 0x8c, 0x56, 0xfa, 0xe6, 0xcf, 0x5f, 0x16, 0x93, 0xed, 0x11, 0x89, 0x79, 0xeb, + 0x57, 0x7e, 0x9f, 0x03, 0x73, 0xe7, 0x2e, 0x3c, 0xec, 0x02, 0x6b, 0x14, 0x33, 0x72, 0x8a, 0xf2, + 0xf9, 0x15, 0x63, 0x46, 0x75, 0x14, 0x3c, 0x46, 0x4c, 0x70, 0x11, 0x5c, 0x1f, 0x50, 0x2e, 0xb8, + 0x93, 0x57, 0x9e, 0xd1, 0x83, 0xca, 0x06, 0xb0, 0x46, 0x76, 0xdf, 0x07, 0xe5, 0x34, 0x00, 0xab, + 0x1c, 0xa4, 0x8c, 0x5b, 0x6e, 0xc9, 0x08, 0x55, 0xd2, 0xaa, 0xfc, 0x98, 0x03, 0xf9, 0x7a, 0x0d, + 0x3a, 0x60, 0x1a, 0xfb, 0xbe, 0x7c, 0x5d, 0x1b, 0xff, 0xa4, 0x43, 0xd8, 0x01, 0x25, 0x11, 0xf2, + 0x71, 0xd4, 0xcb, 0x9f, 0x89, 0xa5, 0x13, 0x8b, 0x17, 0x15, 0x25, 0xba, 0xed, 0xfd, 0xd1, 0xaa, + 0x8b, 0x22, 0xe4, 0xa3, 0x65, 0x6d, 0x81, 0x39, 0x46, 0xfe, 0x2b, 0x21, 0x7c, 0xec, 0xe8, 0xa9, + 0x4b, 0x93, 0x9f, 0x41, 0xa4, 0x25, 0xd5, 0x5d, 0x50, 0x54, 0xf6, 0x7d, 0xc4, 0x03, 0x9f, 0xa8, + 0xea, 0xd1, 0x72, 0x81, 0x16, 0xed, 0x07, 0x3e, 0xa9, 0xfc, 0x66, 0x01, 0xcc, 0x5f, 0x08, 0x1a, + 0x10, 0x82, 0x82, 0xca, 0x42, 0x7a, 0x8b, 0xea, 0x37, 0xfc, 0x9f, 0x1c, 0x58, 0xd4, 0x2f, 0x63, + 0x72, 0x22, 0xe4, 0x2b, 0x6f, 0xf0, 0x56, 0x55, 0x9b, 0x66, 0xa3, 0x5f, 0x5f, 0x39, 0x34, 0x55, + 0xd5, 0x33, 0x5a, 0x8a, 0x59, 0x84, 0xc3, 0x5a, 0x22, 0x06, 0x94, 0x05, 0x6f, 0xd5, 0x3e, 0x54, + 0xbd, 0x6a, 0xd4, 0xb6, 0xaf, 0xb9, 0xf3, 0xc4, 0x68, 0x4a, 0xa5, 0xb7, 0x72, 0x72, 0xe2, 0x6a, + 0xfa, 0x2c, 0xf6, 0x8c, 0x8b, 0x7e, 0xd5, 0xd5, 0xbc, 0x64, 0xb1, 0xf7, 0xb3, 0xab, 0x91, 0x93, + 0x10, 0x83, 0x1b, 0x6f, 0x83, 0xf8, 0x28, 0x88, 0x94, 0x87, 0x8b, 0x9b, 0x2f, 0xaf, 0x6e, 0xfe, + 0x5b, 0x85, 0x37, 0xa5, 0x58, 0xc6, 0x9a, 0x21, 0x86, 0x3f, 0x80, 0x99, 0x30, 0xe8, 0x0f, 0x04, + 0x17, 0x24, 0x56, 0xb5, 0xfd, 0xb8, 0x30, 0xbe, 0x82, 0x95, 0x76, 0x4a, 0x71, 0xd1, 0xd0, 0x98, + 0x1e, 0xfa, 0x60, 0x5a, 0xc6, 0x08, 0x9f, 0xf6, 0x4d, 0x77, 0x60, 0xfb, 0xea, 0x96, 0x1a, 0x9a, + 0xe0, 0xa2, 0x9d, 0x94, 0x1a, 0x06, 0xa0, 0xc8, 0x05, 0xf6, 0x8e, 0x7c, 0x16, 0x1c, 0x13, 0xa6, + 0x6a, 0xef, 0xe2, 0x66, 0xf3, 0xea, 0x96, 0xf6, 0xc7, 0x24, 0x19, 0x33, 0x59, 0x6e, 0xc8, 0x00, + 0xa0, 0x31, 0x89, 0x3c, 0x12, 0xf1, 0x84, 0xab, 0xf2, 0xbd, 0xb8, 0xb9, 0x77, 0x75, 0x4b, 0x9d, + 0x98, 0x44, 0x75, 0xc5, 0x51, 0xeb, 0xcb, 0x9b, 0x7b, 0x61, 0x6f, 0x19, 0x2b, 0x95, 0xbf, 0xe6, + 0xc1, 0x83, 0x5f, 0x76, 0xc2, 0x65, 0x50, 0x49, 0x2b, 0x55, 0x13, 0x54, 0xcc, 0x50, 0x5e, 0x44, + 0xd5, 0xcc, 0x91, 0x77, 0xac, 0xec, 0xaa, 0xdf, 0xf2, 0x4e, 0xc7, 0x58, 0x0c, 0x50, 0xcc, 0x48, + 0x2f, 0x38, 0x51, 0x07, 0x7e, 0xc6, 0x05, 0x52, 0xb4, 0xa7, 0x24, 0xf0, 0x36, 0x98, 0xe9, 0xe1, + 0x20, 0x44, 0x72, 0x31, 0xe6, 0xca, 0x5b, 0x52, 0x20, 0x97, 0x2f, 0x8b, 0x7c, 0xf9, 0xca, 0x4c, + 0x38, 0xa2, 0x11, 0x22, 0x8c, 0x51, 0xa6, 0x4e, 0xd3, 0x8c, 0x5b, 0xd6, 0xe2, 0x4e, 0xd4, 0x94, + 0x42, 0xf8, 0x29, 0x70, 0x82, 0xc8, 0x0b, 0x13, 0x9f, 0xa0, 0x01, 0xc1, 0x32, 0xaf, 0xa3, 0x20, + 0x42, 0xde, 0x80, 0x78, 0x47, 0xce, 0x0d, 0x15, 0x49, 0x97, 0xcc, 0xfc, 0xb6, 0x9e, 0xde, 0x89, + 0xea, 0x72, 0x12, 0xfe, 0x3b, 0x78, 0x2f, 0x05, 0x08, 0x8a, 0x92, 0x98, 0x0b, 0x46, 0xf0, 0x50, + 0x5a, 0xc3, 0x61, 0x48, 0xdf, 0x38, 0xd3, 0x0a, 0xec, 0x18, 0x9d, 0x2e, 0x3d, 0x30, 0x1a, 0x9d, + 0xa8, 0x26, 0xe7, 0xe1, 0x7f, 0x80, 0x3b, 0x19, 0xbc, 0x4f, 0xdf, 0x44, 0x63, 0x06, 0x9f, 0x44, + 0xa7, 0x8e, 0xa5, 0x08, 0x6e, 0x8d, 0x08, 0x1a, 0x23, 0x95, 0x4e, 0xd4, 0x20, 0xd1, 0x69, 0xe5, + 0xff, 0x73, 0xef, 0xf2, 0x7c, 0xf6, 0x36, 0x5f, 0xd1, 0xf3, 0x67, 0x1c, 0x3b, 0x75, 0xb9, 0x63, + 0x0b, 0x13, 0x1c, 0x5b, 0x39, 0x02, 0x4b, 0x13, 0xef, 0xfa, 0x15, 0xd7, 0xf2, 0x01, 0x98, 0x1d, + 0xe2, 0x13, 0x24, 0x70, 0x1f, 0x85, 0x24, 0xea, 0x8b, 0x81, 0x5a, 0x50, 0xd9, 0x2d, 0x0d, 0xf1, + 0x49, 0x17, 0xf7, 0xdb, 0x4a, 0x56, 0xf9, 0xbf, 0x1c, 0x70, 0x7e, 0xee, 0xce, 0x5f, 0xd1, 0xe0, + 0x3d, 0x50, 0x32, 0x9d, 0x15, 0x41, 0x8f, 0xcc, 0xfe, 0x67, 0xdc, 0xa2, 0x96, 0x75, 0xa5, 0x68, + 0xc2, 0x9a, 0x0a, 0x13, 0xd6, 0x14, 0x82, 0xe5, 0xc9, 0xc1, 0xe1, 0x1f, 0xe2, 0x81, 0x3f, 0xe7, + 0xc1, 0xc2, 0x84, 0x08, 0x21, 0x9f, 0x05, 0x3e, 0x39, 0x4c, 0xfa, 0x26, 0xd9, 0xeb, 0x01, 0xec, + 0x02, 0x47, 0x72, 0x46, 0xc9, 0xf0, 0x90, 0x30, 0x44, 0x7b, 0x08, 0x0b, 0xc1, 0x82, 0xc3, 0x44, + 0xd6, 0x58, 0x3a, 0xcf, 0xdd, 0xbe, 0x90, 0x7c, 0x77, 0x22, 0xf1, 0xec, 0x63, 0x53, 0x64, 0x0c, + 0xf1, 0xc9, 0xae, 0xc2, 0x76, 0x7a, 0xb5, 0x11, 0x12, 0xbe, 0x06, 0xb7, 0xce, 0xb1, 0x46, 0x11, + 0x15, 0xea, 0x34, 0x72, 0x93, 0xb0, 0xde, 0x49, 0xbb, 0x9c, 0xa5, 0x1d, 0x43, 0x65, 0xf1, 0x72, + 0x96, 0x77, 0x48, 0x38, 0xc7, 0x7d, 0x82, 0xc8, 0x31, 0x89, 0x04, 0x37, 0xc9, 0xe8, 0x9d, 0xd4, + 0x4e, 0x86, 0xfa, 0x95, 0x46, 0x37, 0x15, 0x78, 0x82, 0x7b, 0xaf, 0x4f, 0x70, 0xef, 0x8f, 0x79, + 0xb0, 0xf2, 0xee, 0xb0, 0x78, 0xc5, 0xaf, 0xfa, 0x06, 0x4c, 0x7b, 0x34, 0x12, 0xe4, 0x44, 0xa8, + 0xa7, 0xec, 0xec, 0xe6, 0xf7, 0xbf, 0x76, 0x9c, 0xae, 0xca, 0x31, 0xa9, 0x6b, 0x23, 0x6e, 0x6a, + 0xed, 0x97, 0x1d, 0xde, 0x35, 0x02, 0x4a, 0x59, 0x38, 0x9c, 0x03, 0xc5, 0x83, 0xdd, 0xfd, 0xbd, + 0x66, 0x7d, 0xe7, 0xc5, 0x4e, 0xb3, 0x61, 0x5f, 0x83, 0x4b, 0x60, 0xfe, 0xab, 0xa7, 0x75, 0xd4, + 0x75, 0x6b, 0xf5, 0x26, 0xaa, 0x77, 0x76, 0xbb, 0xcd, 0xaf, 0xbb, 0x76, 0x0e, 0x96, 0x80, 0xf5, + 0xd2, 0xdd, 0xab, 0xa3, 0xad, 0x9d, 0x5d, 0x3b, 0x0f, 0x6f, 0x82, 0x85, 0x7a, 0xbb, 0x73, 0xd0, + 0x38, 0xa7, 0x36, 0x05, 0x6f, 0x80, 0xfc, 0xd6, 0x53, 0xbb, 0xb0, 0x05, 0x80, 0x95, 0x56, 0x66, + 0x95, 0xc7, 0xc0, 0x3e, 0x5f, 0x74, 0x49, 0x9f, 0xa6, 0xad, 0x5c, 0xe3, 0x53, 0x33, 0x5c, 0x6b, + 0x81, 0xa5, 0x89, 0x6d, 0xe4, 0x8b, 0x2b, 0x9d, 0x06, 0x53, 0x9d, 0x17, 0x2f, 0xec, 0x1c, 0x2c, + 0x82, 0xe9, 0x46, 0xf3, 0x45, 0xed, 0xa0, 0xdd, 0xb5, 0xf3, 0x10, 0x80, 0x1b, 0xfb, 0x5d, 0x77, + 0xa7, 0xde, 0xb5, 0xa7, 0xd6, 0x1e, 0x00, 0x20, 0x43, 0xa7, 0x29, 0xab, 0x2c, 0x50, 0xd8, 0xed, + 0xec, 0x36, 0xed, 0x6b, 0x70, 0x16, 0x80, 0x57, 0x07, 0xaa, 0xc2, 0xe9, 0xb6, 0xf7, 0xed, 0xdc, + 0xda, 0x43, 0x30, 0x7f, 0xa1, 0x53, 0x2b, 0xd5, 0xd5, 0xa6, 0xae, 0xc9, 0x5f, 0xad, 0xfd, 0xce, + 0xae, 0x9d, 0x5b, 0xdb, 0x04, 0x73, 0xe7, 0x5a, 0x2a, 0x10, 0x82, 0xd9, 0x46, 0x07, 0xed, 0x76, + 0xba, 0xe8, 0x60, 0xef, 0xa5, 0x5b, 0x6b, 0x48, 0xfe, 0x22, 0x98, 0x4e, 0x07, 0xb9, 0x56, 0xc1, + 0xca, 0xd9, 0xf9, 0x96, 0xac, 0xac, 0xa6, 0x5a, 0x05, 0x6b, 0xca, 0x2e, 0xb4, 0x0a, 0xd6, 0x47, + 0xf6, 0x93, 0x56, 0xc1, 0xba, 0x65, 0x57, 0x5a, 0x05, 0x6b, 0xc5, 0xbe, 0xdb, 0x2a, 0x58, 0xc0, + 0x2e, 0xb6, 0x0a, 0x56, 0xd1, 0x2e, 0xb5, 0x0a, 0xd6, 0x9c, 0x6d, 0xb7, 0x0a, 0x96, 0x6d, 0xcf, + 0xb7, 0x0a, 0x16, 0xb4, 0x17, 0x5a, 0x05, 0x6b, 0xc1, 0x5e, 0x6c, 0x15, 0xac, 0x45, 0x7b, 0xa9, + 0x55, 0xb0, 0x96, 0xec, 0xe5, 0x56, 0xc1, 0xba, 0x69, 0x3b, 0xad, 0x82, 0x75, 0xc7, 0x5e, 0x69, + 0x15, 0xac, 0x4f, 0xec, 0x67, 0xad, 0x82, 0x75, 0xdf, 0x7e, 0xd0, 0x2a, 0x58, 0x0f, 0xec, 0x87, + 0xad, 0x82, 0xf5, 0xd0, 0x5e, 0x77, 0xe1, 0x30, 0x38, 0x21, 0x4c, 0x67, 0x3c, 0xd5, 0x9b, 0x23, + 0xcc, 0x5d, 0xd0, 0x32, 0x46, 0x54, 0x5b, 0xcd, 0x08, 0x97, 0xd2, 0xbe, 0xb1, 0xee, 0x2d, 0x69, + 0x04, 0x77, 0x47, 0xed, 0x64, 0x8d, 0x51, 0x7f, 0xcc, 0x68, 0x20, 0x77, 0x97, 0xb3, 0xaa, 0x68, + 0x94, 0x53, 0xdc, 0xfb, 0xf2, 0x95, 0xee, 0x61, 0x26, 0x33, 0x9f, 0x20, 0x21, 0x19, 0x12, 0xa1, + 0x4a, 0x68, 0xae, 0xba, 0x01, 0xb2, 0x3c, 0x8d, 0x02, 0x71, 0xea, 0x16, 0xe5, 0x7b, 0xd7, 0x98, + 0x73, 0xe7, 0x99, 0x3f, 0x6e, 0x91, 0xf9, 0x24, 0xc4, 0xa7, 0x6e, 0x59, 0x9b, 0x34, 0x95, 0x89, + 0x9b, 0xb6, 0xc7, 0x75, 0x4b, 0x43, 0x55, 0x02, 0x67, 0xd6, 0xea, 0x96, 0xb8, 0xcf, 0x51, 0xe2, + 0x73, 0x24, 0x1f, 0x11, 0xee, 0x3c, 0xbf, 0x40, 0xb8, 0x6c, 0x18, 0xe4, 0x8c, 0x8a, 0xfe, 0x68, + 0x48, 0x93, 0x48, 0xb8, 0x50, 0x01, 0x39, 0x41, 0x47, 0xcf, 0x39, 0xe2, 0x18, 0xfd, 0xf0, 0x46, + 0xb8, 0x15, 0x41, 0xd8, 0x30, 0xed, 0x42, 0xfa, 0x0c, 0x07, 0x11, 0x4a, 0xff, 0x84, 0x73, 0x17, + 0x53, 0x9f, 0x18, 0x0f, 0x1e, 0x62, 0xe1, 0x0d, 0x5c, 0x27, 0x3b, 0x42, 0xf2, 0x12, 0x92, 0x48, + 0xb0, 0x80, 0x70, 0x77, 0xe9, 0xc2, 0x8c, 0xac, 0x84, 0xd6, 0xfe, 0x98, 0x03, 0xa5, 0x6c, 0x33, + 0xfa, 0x9f, 0x59, 0x95, 0xed, 0x81, 0x45, 0x9e, 0x1c, 0x72, 0x8f, 0x05, 0x87, 0xc4, 0x47, 0x8c, + 0xa4, 0x8d, 0x73, 0x1d, 0xac, 0xee, 0x4c, 0x0c, 0x56, 0xae, 0xd1, 0x72, 0x17, 0xc6, 0xd0, 0x54, + 0xc6, 0xd7, 0xbe, 0x04, 0xc5, 0x4c, 0x5f, 0x40, 0x3e, 0xef, 0x38, 0xf1, 0x18, 0x31, 0x8d, 0x40, + 0xbd, 0x1f, 0xa0, 0x45, 0xaa, 0xf7, 0x77, 0x1b, 0xcc, 0xf8, 0x11, 0xd7, 0x3d, 0x5a, 0x53, 0xd4, + 0x5a, 0x7e, 0xc4, 0x55, 0x7b, 0xf6, 0xd1, 0x2a, 0xb0, 0x52, 0x66, 0xb8, 0x08, 0xec, 0xb4, 0x03, + 0x91, 0xf6, 0x2d, 0xec, 0x6b, 0x5b, 0xeb, 0x7f, 0xf8, 0x69, 0x25, 0xf7, 0xa7, 0x9f, 0x56, 0x72, + 0x7f, 0xf9, 0x69, 0x25, 0xf7, 0x6d, 0x45, 0xaf, 0x57, 0xff, 0x57, 0xb9, 0x71, 0xe6, 0xdf, 0xcf, + 0xc3, 0x1b, 0x2a, 0x61, 0x3c, 0xfd, 0x5b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x24, 0xa2, 0xee, 0x9f, + 0x86, 0x1d, 0x00, 0x00, } func (m *MeshConfig) Marshal() (dAtA []byte, err error) { @@ -3050,12 +3049,14 @@ func (m *MeshConfig_CertificateData) MarshalToSizedBuffer(dAtA []byte) (int, err i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } - if len(m.TrustDomain) > 0 { - i -= len(m.TrustDomain) - copy(dAtA[i:], m.TrustDomain) - i = encodeVarintConfig(dAtA, i, uint64(len(m.TrustDomain))) - i-- - dAtA[i] = 0x1a + if len(m.TrustDomains) > 0 { + for iNdEx := len(m.TrustDomains) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.TrustDomains[iNdEx]) + copy(dAtA[i:], m.TrustDomains[iNdEx]) + i = encodeVarintConfig(dAtA, i, uint64(len(m.TrustDomains[iNdEx]))) + i-- + dAtA[i] = 0x1a + } } if m.CertificateData != nil { { @@ -4271,9 +4272,11 @@ func (m *MeshConfig_CertificateData) Size() (n int) { if m.CertificateData != nil { n += m.CertificateData.Size() } - l = len(m.TrustDomain) - if l > 0 { - n += 1 + l + sovConfig(uint64(l)) + if len(m.TrustDomains) > 0 { + for _, s := range m.TrustDomains { + l = len(s) + n += 1 + l + sovConfig(uint64(l)) + } } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) @@ -6221,7 +6224,7 @@ func (m *MeshConfig_CertificateData) Unmarshal(dAtA []byte) error { iNdEx = postIndex case 3: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field TrustDomain", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field TrustDomains", wireType) } var stringLen uint64 for shift := uint(0); ; shift += 7 { @@ -6249,7 +6252,7 @@ func (m *MeshConfig_CertificateData) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.TrustDomain = string(dAtA[iNdEx:postIndex]) + m.TrustDomains = append(m.TrustDomains, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex default: iNdEx = preIndex diff --git a/mesh/v1alpha1/config.proto b/mesh/v1alpha1/config.proto index 70f6735544b..583667a6e24 100644 --- a/mesh/v1alpha1/config.proto +++ b/mesh/v1alpha1/config.proto @@ -223,12 +223,10 @@ message MeshConfig { string spiffe_bundle_url = 2; } - // Optional. Specify the trust domain to which this certificate data belongs. - // If `enabled_spiffe_multiple_independent_trust_domain_authentication` enabled, this must be set for - // distinguishing different trust domains from each other. Certificates in a same trust domain will be merged - // and used together to validate the trust domain. - // If `enabled_spiffe_multiple_independent_trust_domain_authentication` disabled, it is not necessary to set. - string trust_domain = 3; + // Optional. Specify the list of trust domains to which this certificate data belongs. + // If set, they are used for this root CA, otherwise, this root CA ise used for default trust domain + // and its aliases. + repeated string trust_domains = 3; } // The extra root certificates for workload-to-workload communication. @@ -237,25 +235,6 @@ message MeshConfig { // The CA certificate that signs the workload certificates is automatically added by Istio Agent. repeated CertificateData ca_certificates = 58; - // If enabled, SPIFFE multiple independent trust domain authentication scheme is used for mTSL client certificate validation. - // That means, all the root certificates specified in `ca_certificates` and the self-signed 'istio-ca-secret' secret are used to - // validate client certificates while keeping them isolated from each other. - // More precisely, the proxy validates client certificates with the following procedure: - // 1. Extract the SVID(URI SAN) in an incoming client certificate. - // 2. Select a root certificate for the trust domain in the SVID (E.g. "example.com" for "spiffe://example.com/foo" SVID). - // 3. Verify the certificate using the selected root certificate. - // This is a particular importance for cross cluster mTLS communication where each cluster manages their own root certificates. - // For example, consider the case where a cluster A manages the trust domain "aaa.com", cluster B manages "bbb.com". - // When services in cluster A talk to services in cluster B, services in cluster B have to validate client certificates - // based on the root certificates of cluster A. However, if we merge root certificates from both cluster A and cluster B, - // then we cannot trust that presented client certificates are actually signed by the corresponding cluster. That is because - // cluster A might sign client certificates with "spiffe://bbb.com/**" URI SAN in order to bypass - // cluster B's authorization based on workload identity. In that case, we say these trust domains are NOT isolated from each other. - // This is why we need to select root certificates based on the trust domain before verify client certificates. - // - // Please note that this setting requires `STRICT` mTLS mode to take into effect. - bool enabled_spiffe_multiple_independent_trust_domain_authentication = 60; - // The default value for the ServiceEntry.export_to field and services // imported through container registry integrations, e.g. this applies to // Kubernetes Service resources. The value is a list of namespace names and diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json index c5293759c6b..41c876b592c 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json @@ -118,10 +118,6 @@ "format": "string" } }, - "enabledSpiffeMultipleIndependentTrustDomainAuthentication": { - "description": "If enabled, SPIFFE multiple independent trust domain authentication scheme is used for mTSL client certificate validation. That means, all the root certificates specified in `ca_certificates` and the self-signed 'istio-ca-secret' secret are used to validate client certificates while keeping them isolated from each other. More precisely, the proxy validates client certificates with the following procedure: 1. Extract the SVID(URI SAN) in an incoming client certificate. 2. Select a root certificate for the trust domain in the SVID (E.g. \"example.com\" for \"spiffe://example.com/foo\" SVID). 3. Verify the certificate using the selected root certificate. This is a particular importance for cross cluster mTLS communication where each cluster manages their own root certificates. For example, consider the case where a cluster A manages the trust domain \"aaa.com\", cluster B manages \"bbb.com\". When services in cluster A talk to services in cluster B, services in cluster B has to validate client certificates based on the root certificates of cluster A. However, if we merge root certificates from both cluster A and cluster B, then we cannot trust that presented client certificates are actually signed by the corresponding cluster. That is because cluster A might sign client certificates with \"spiffe://bbb.com/**\" URI SAN in order to bypass cluster B's authorization based on workload identity. In that case, we say these trust domains are NOT isolated from each other. This is why we need to select root certificates based on the trust domain before verify client certificates.", - "type": "boolean" - }, "defaultServiceExportTo": { "description": "The default value for the ServiceEntry.export_to field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use \"*\" as the default value which implies that services are exported to all namespaces.", "type": "array", @@ -416,10 +412,13 @@ "istio.mesh.v1alpha1.MeshConfig.CertificateData": { "type": "object", "properties": { - "trustDomain": { - "description": "Optional. Specify the trust domain to which this certificate data belongs. If `enabled_spiffe_multiple_independent_trust_domain_authentication` enabled, this must be set for distinguishing different trust domains from each other. Certificates in a same trust domain will be merged and used together to validate the trust domain. If `enabled_spiffe_multiple_independent_trust_domain_authentication` disabled, it is not necessary to set.", - "type": "string", - "format": "string" + "trustDomains": { + "description": "Optional. Specify the list of trust domains to which this certificate data belongs. If set, they are used for this root CA, otherwise, this root CA ise used for default trust domain and its aliases.", + "type": "array", + "items": { + "type": "string", + "format": "string" + } } }, "oneOf": [ diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index aa202172683..8f96775973f 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -328,33 +328,6 @@

MeshConfig

are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent.

- - -No - - - -enabledSpiffeMultipleIndependentTrustDomainAuthentication -bool - -

If enabled, SPIFFE multiple independent trust domain authentication scheme is used for mTSL client certificate validation. -That means, all the root certificates specified in ca_certificates and the self-signed ‘istio-ca-secret’ secret are used to -validate client certificates while keeping them isolated from each other. -More precisely, the proxy validates client certificates with the following procedure: -1. Extract the SVID(URI SAN) in an incoming client certificate. -2. Select a root certificate for the trust domain in the SVID (E.g. “example.com” for “spiffe://example.com/foo” SVID). -3. Verify the certificate using the selected root certificate. -This is a particular importance for cross cluster mTLS communication where each cluster manages their own root certificates. -For example, consider the case where a cluster A manages the trust domain “aaa.com”, cluster B manages “bbb.com”. -When services in cluster A talk to services in cluster B, services in cluster B has to validate client certificates -based on the root certificates of cluster A. However, if we merge root certificates from both cluster A and cluster B, -then we cannot trust that presented client certificates are actually signed by the corresponding cluster. That is because -cluster A might sign client certificates with “spiffe://bbb.com/**” URI SAN in order to bypass -cluster B’s authorization based on workload identity. In that case, we say these trust domains are NOT isolated from each other. -This is why we need to select root certificates based on the trust domain before verify client certificates.

- -

Please note that this setting requires STRICT mTLS mode to take into effect.

- No @@ -848,15 +821,13 @@

MeshConfig.CertificateData

No - -trustDomain -string + +trustDomains +string[] -

Optional. Specify the trust domain to which this certificate data belongs. -If enabled_spiffe_multiple_independent_trust_domain_authentication enabled, this must be set for -distinguishing different trust domains from each other. Certificates in a same trust domain will be merged -and used together to validate the trust domain. -If enabled_spiffe_multiple_independent_trust_domain_authentication disabled, it is not necessary to set.

+

Optional. Specify the list of trust domains to which this certificate data belongs. +If set, they are used for this root CA, otherwise, this root CA ise used for default trust domain +and its aliases.

diff --git a/python/istio_api/mesh/v1alpha1/config_pb2.py b/python/istio_api/mesh/v1alpha1/config_pb2.py index c267cf53ea8..9b9afe8dd28 100644 --- a/python/istio_api/mesh/v1alpha1/config_pb2.py +++ b/python/istio_api/mesh/v1alpha1/config_pb2.py @@ -26,7 +26,7 @@ package='istio.mesh.v1alpha1', syntax='proto3', serialized_options=_b('Z\032istio.io/api/mesh/v1alpha1'), - serialized_pb=_b('\n\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a\x34k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto\"\xa4\x36\n\nMeshConfig\x12*\n\x11proxy_listen_port\x18\x04 \x01(\x05R\x0fproxyListenPort\x12&\n\x0fproxy_http_port\x18\x05 \x01(\x05R\rproxyHttpPort\x12\x42\n\x0f\x63onnect_timeout\x18\x06 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x63onnectTimeout\x12W\n\x1aprotocol_detection_timeout\x18* \x01(\x0b\x32\x19.google.protobuf.DurationR\x18protocolDetectionTimeout\x12o\n\rtcp_keepalive\x18\x1c \x01(\x0b\x32J.istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveR\x0ctcpKeepalive\x12#\n\ringress_class\x18\x07 \x01(\tR\x0cingressClass\x12\'\n\x0fingress_service\x18\x08 \x01(\tR\x0eingressService\x12m\n\x17ingress_controller_mode\x18\t \x01(\x0e\x32\x35.istio.mesh.v1alpha1.MeshConfig.IngressControllerModeR\x15ingressControllerMode\x12)\n\x10ingress_selector\x18\x34 \x01(\tR\x0fingressSelector\x12%\n\x0e\x65nable_tracing\x18\x0c \x01(\x08R\renableTracing\x12&\n\x0f\x61\x63\x63\x65ss_log_file\x18\r \x01(\tR\raccessLogFile\x12*\n\x11\x61\x63\x63\x65ss_log_format\x18\x18 \x01(\tR\x0f\x61\x63\x63\x65ssLogFormat\x12\x61\n\x13\x61\x63\x63\x65ss_log_encoding\x18\x1b \x01(\x0e\x32\x31.istio.mesh.v1alpha1.MeshConfig.AccessLogEncodingR\x11\x61\x63\x63\x65ssLogEncoding\x12\x44\n\x1f\x65nable_envoy_access_log_service\x18( \x01(\x08R\x1b\x65nableEnvoyAccessLogService\x12;\n\x1a\x64isable_envoy_listener_log\x18\x38 \x01(\x08R\x17\x64isableEnvoyListenerLog\x12G\n\x0e\x64\x65\x66\x61ult_config\x18\x0e \x01(\x0b\x32 .istio.mesh.v1alpha1.ProxyConfigR\rdefaultConfig\x12m\n\x17outbound_traffic_policy\x18\x11 \x01(\x0b\x32\x35.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicyR\x15outboundTrafficPolicy\x12H\n\x0e\x63onfig_sources\x18\x16 \x03(\x0b\x32!.istio.mesh.v1alpha1.ConfigSourceR\rconfigSources\x12\x44\n\x10\x65nable_auto_mtls\x18+ \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x0e\x65nableAutoMtls\x12!\n\x0ctrust_domain\x18\x1a \x01(\tR\x0btrustDomain\x12\x30\n\x14trust_domain_aliases\x18. \x03(\tR\x12trustDomainAliases\x12X\n\x0f\x63\x61_certificates\x18: \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.CertificateDataR\x0e\x63\x61\x43\x65rtificates\x12\x39\n\x19\x64\x65\x66\x61ult_service_export_to\x18\x1f \x03(\tR\x16\x64\x65\x66\x61ultServiceExportTo\x12H\n!default_virtual_service_export_to\x18 \x03(\tR\x1d\x64\x65\x66\x61ultVirtualServiceExportTo\x12J\n\"default_destination_rule_export_to\x18! \x03(\tR\x1e\x64\x65\x66\x61ultDestinationRuleExportTo\x12%\n\x0eroot_namespace\x18\" \x01(\tR\rrootNamespace\x12\x66\n\x13locality_lb_setting\x18# \x01(\x0b\x32\x36.istio.networking.v1alpha3.LocalityLoadBalancerSettingR\x11localityLbSetting\x12\x43\n\x10\x64ns_refresh_rate\x18$ \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x64nsRefreshRate\x12[\n\x11h2_upgrade_policy\x18) \x01(\x0e\x32/.istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicyR\x0fh2UpgradePolicy\x12\x39\n\x19inbound_cluster_stat_name\x18, \x01(\tR\x16inboundClusterStatName\x12;\n\x1aoutbound_cluster_stat_name\x18- \x01(\tR\x17outboundClusterStatName\x12\x44\n\x0c\x63\x65rtificates\x18/ \x03(\x0b\x32 .istio.mesh.v1alpha1.CertificateR\x0c\x63\x65rtificates\x12Q\n\rthrift_config\x18\x31 \x01(\x0b\x32,.istio.mesh.v1alpha1.MeshConfig.ThriftConfigR\x0cthriftConfig\x12Z\n\x10service_settings\x18\x32 \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12R\n\x17\x65nable_prometheus_merge\x18\x33 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x15\x65nablePrometheusMerge\x12[\n\x1cverify_certificate_at_client\x18\x36 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x19verifyCertificateAtClient\x12\x32\n\x02\x63\x61\x18\x37 \x01(\x0b\x32\".istio.mesh.v1alpha1.MeshConfig.CAR\x02\x63\x61\x12\x62\n\x13\x65xtension_providers\x18\x39 \x03(\x0b\x32\x31.istio.mesh.v1alpha1.MeshConfig.ExtensionProviderR\x12\x65xtensionProviders\x12]\n\x11\x64\x65\x66\x61ult_providers\x18< \x01(\x0b\x32\x30.istio.mesh.v1alpha1.MeshConfig.DefaultProvidersR\x10\x64\x65\x66\x61ultProviders\x12\x64\n\x13\x64iscovery_selectors\x18; \x03(\x0b\x32\x33.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x12\x64iscoverySelectors\x1a\xad\x01\n\x15OutboundTrafficPolicy\x12N\n\x04mode\x18\x01 \x01(\x0e\x32:.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.ModeR\x04mode\"D\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01\"\x04\x08\x02\x10\x02*\x14VIRTUAL_SERVICE_ONLY\x1a\x8a\x01\n\x0f\x43\x65rtificateData\x12\x12\n\x03pem\x18\x01 \x01(\tH\x00R\x03pem\x12,\n\x11spiffe_bundle_url\x18\x02 \x01(\tH\x00R\x0fspiffeBundleUrl\x12!\n\x0ctrust_domain\x18\x03 \x01(\tR\x0btrustDomainB\x12\n\x10\x63\x65rtificate_data\x1a}\n\x0cThriftConfig\x12$\n\x0erate_limit_url\x18\x01 \x01(\tR\x0crateLimitUrl\x12G\n\x12rate_limit_timeout\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x10rateLimitTimeout\x1a\xae\x01\n\x0fServiceSettings\x12T\n\x08settings\x18\x01 \x01(\x0b\x32\x38.istio.mesh.v1alpha1.MeshConfig.ServiceSettings.SettingsR\x08settings\x12\x14\n\x05hosts\x18\x02 \x03(\tR\x05hosts\x1a/\n\x08Settings\x12#\n\rcluster_local\x18\x01 \x01(\x08R\x0c\x63lusterLocal\x1a\xd4\x01\n\x02\x43\x41\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12\x42\n\x0frequest_timeout\x18\x03 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0erequestTimeout\x12\x1f\n\x0bistiod_side\x18\x04 \x01(\x08R\nistiodSide\x1a\xa0\x13\n\x11\x45xtensionProvider\x12\x12\n\x04name\x18\x01 \x01(\tR\x04name\x12\x8b\x01\n\x14\x65nvoy_ext_authz_http\x18\x02 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProviderH\x00R\x11\x65nvoyExtAuthzHttp\x12\x8b\x01\n\x14\x65nvoy_ext_authz_grpc\x18\x03 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProviderH\x00R\x11\x65nvoyExtAuthzGrpc\x12\x61\n\x06zipkin\x18\x04 \x01(\x0b\x32G.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProviderH\x00R\x06zipkin\x12j\n\tlightstep\x18\x05 \x01(\x0b\x32J.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProviderH\x00R\tlightstep\x12\x64\n\x07\x64\x61tadog\x18\x06 \x01(\x0b\x32H.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProviderH\x00R\x07\x64\x61tadog\x12i\n\x0bstackdriver\x18\x07 \x01(\x0b\x32\x45.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProviderH\x00R\x0bstackdriver\x12r\n\nopencensus\x18\x08 \x01(\x0b\x32P.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProviderH\x00R\nopencensus\x1a\xf7\x02\n&EnvoyExternalAuthorizationHttpProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1f\n\x0bpath_prefix\x18\x03 \x01(\tR\npathPrefix\x12\x1b\n\tfail_open\x18\x04 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x05 \x01(\tR\rstatusOnError\x12\x37\n\x18include_headers_in_check\x18\x06 \x03(\tR\x15includeHeadersInCheck\x12>\n\x1cheaders_to_upstream_on_allow\x18\x07 \x03(\tR\x18headersToUpstreamOnAllow\x12@\n\x1dheaders_to_downstream_on_deny\x18\x08 \x03(\tR\x19headersToDownstreamOnDeny\x1a\x9b\x01\n&EnvoyExternalAuthorizationGrpcProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1b\n\tfail_open\x18\x03 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x04 \x01(\tR\rstatusOnError\x1ak\n\x15ZipkinTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12$\n\x0emax_tag_length\x18\x03 \x01(\rR\x0cmaxTagLength\x1a\x91\x01\n\x18LightstepTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12!\n\x0c\x61\x63\x63\x65ss_token\x18\x03 \x01(\tR\x0b\x61\x63\x63\x65ssToken\x12$\n\x0emax_tag_length\x18\x04 \x01(\rR\x0cmaxTagLength\x1al\n\x16\x44\x61tadogTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12$\n\x0emax_tag_length\x18\x03 \x01(\rR\x0cmaxTagLength\x1a\xdc\x02\n\x13StackdriverProvider\x12\x14\n\x05\x64\x65\x62ug\x18\x01 \x01(\x08R\x05\x64\x65\x62ug\x12T\n\x18max_number_of_attributes\x18\x02 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x15maxNumberOfAttributes\x12V\n\x19max_number_of_annotations\x18\x03 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x16maxNumberOfAnnotations\x12[\n\x1cmax_number_of_message_events\x18\x04 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x18maxNumberOfMessageEvents\x12$\n\x0emax_tag_length\x18\x05 \x01(\rR\x0cmaxTagLength\x1a\xd4\x02\n\x1eOpenCensusAgentTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12w\n\x07\x63ontext\x18\x03 \x03(\x0e\x32].istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContextR\x07\x63ontext\x12$\n\x0emax_tag_length\x18\x04 \x01(\rR\x0cmaxTagLength\"e\n\x0cTraceContext\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x15\n\x11W3C_TRACE_CONTEXT\x10\x01\x12\x0c\n\x08GRPC_BIN\x10\x02\x12\x17\n\x13\x43LOUD_TRACE_CONTEXT\x10\x03\x12\x06\n\x02\x42\x33\x10\x04\x42\n\n\x08provider\x1a,\n\x10\x44\x65\x66\x61ultProviders\x12\x18\n\x07tracing\x18\x01 \x01(\tR\x07tracing\"J\n\x15IngressControllerMode\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x07\n\x03OFF\x10\x01\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x02\x12\n\n\x06STRICT\x10\x03\"&\n\nAuthPolicy\x12\x08\n\x04NONE\x10\x00\x12\x0e\n\nMUTUAL_TLS\x10\x01\"\'\n\x11\x41\x63\x63\x65ssLogEncoding\x12\x08\n\x04TEXT\x10\x00\x12\x08\n\x04JSON\x10\x01\"2\n\x0fH2UpgradePolicy\x12\x12\n\x0e\x44O_NOT_UPGRADE\x10\x00\x12\x0b\n\x07UPGRADE\x10\x01J\x04\x08\x01\x10\x02J\x04\x08\x02\x10\x03J\x04\x08\x03\x10\x04J\x04\x08\x30\x10\x31J\x04\x08\x19\x10\x1aJ\x04\x08\x1e\x10\x1fJ\x04\x08\n\x10\x0bJ\x04\x08\x0b\x10\x0cJ\x04\x08\x0f\x10\x10J\x04\x08\x10\x10\x11J\x04\x08\x12\x10\x13J\x04\x08\x13\x10\x14J\x04\x08\x14\x10\x15J\x04\x08\x15\x10\x16J\x04\x08\x17\x10\x18J\x04\x08\x1d\x10\x1eJ\x04\x08\x35\x10\x36J\x04\x08%\x10&J\x04\x08&\x10\'J\x04\x08\'\x10(R\x12mixer_check_serverR\x13mixer_report_serverR\x15\x64isable_policy_checksR\x1a\x64isable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\x0b\x61uth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1f\x65nable_client_side_policy_checkR\x0csds_uds_pathR\x11sds_refresh_delayR\x16\x65nable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14\x64isable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_time\"\xcb\x01\n\x0c\x43onfigSource\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12P\n\x14subscribed_resources\x18\x03 \x03(\x0e\x32\x1d.istio.mesh.v1alpha1.ResourceR\x13subscribedResources\"K\n\x0b\x43\x65rtificate\x12\x1f\n\x0bsecret_name\x18\x01 \x01(\tR\nsecretName\x12\x1b\n\tdns_names\x18\x02 \x03(\tR\x08\x64nsNames* \n\x08Resource\x12\x14\n\x10SERVICE_REGISTRY\x10\x00\x42\x1cZ\x1aistio.io/api/mesh/v1alpha1b\x06proto3') + serialized_pb=_b('\n\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a\x34k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto\"\xa6\x36\n\nMeshConfig\x12*\n\x11proxy_listen_port\x18\x04 \x01(\x05R\x0fproxyListenPort\x12&\n\x0fproxy_http_port\x18\x05 \x01(\x05R\rproxyHttpPort\x12\x42\n\x0f\x63onnect_timeout\x18\x06 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x63onnectTimeout\x12W\n\x1aprotocol_detection_timeout\x18* \x01(\x0b\x32\x19.google.protobuf.DurationR\x18protocolDetectionTimeout\x12o\n\rtcp_keepalive\x18\x1c \x01(\x0b\x32J.istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveR\x0ctcpKeepalive\x12#\n\ringress_class\x18\x07 \x01(\tR\x0cingressClass\x12\'\n\x0fingress_service\x18\x08 \x01(\tR\x0eingressService\x12m\n\x17ingress_controller_mode\x18\t \x01(\x0e\x32\x35.istio.mesh.v1alpha1.MeshConfig.IngressControllerModeR\x15ingressControllerMode\x12)\n\x10ingress_selector\x18\x34 \x01(\tR\x0fingressSelector\x12%\n\x0e\x65nable_tracing\x18\x0c \x01(\x08R\renableTracing\x12&\n\x0f\x61\x63\x63\x65ss_log_file\x18\r \x01(\tR\raccessLogFile\x12*\n\x11\x61\x63\x63\x65ss_log_format\x18\x18 \x01(\tR\x0f\x61\x63\x63\x65ssLogFormat\x12\x61\n\x13\x61\x63\x63\x65ss_log_encoding\x18\x1b \x01(\x0e\x32\x31.istio.mesh.v1alpha1.MeshConfig.AccessLogEncodingR\x11\x61\x63\x63\x65ssLogEncoding\x12\x44\n\x1f\x65nable_envoy_access_log_service\x18( \x01(\x08R\x1b\x65nableEnvoyAccessLogService\x12;\n\x1a\x64isable_envoy_listener_log\x18\x38 \x01(\x08R\x17\x64isableEnvoyListenerLog\x12G\n\x0e\x64\x65\x66\x61ult_config\x18\x0e \x01(\x0b\x32 .istio.mesh.v1alpha1.ProxyConfigR\rdefaultConfig\x12m\n\x17outbound_traffic_policy\x18\x11 \x01(\x0b\x32\x35.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicyR\x15outboundTrafficPolicy\x12H\n\x0e\x63onfig_sources\x18\x16 \x03(\x0b\x32!.istio.mesh.v1alpha1.ConfigSourceR\rconfigSources\x12\x44\n\x10\x65nable_auto_mtls\x18+ \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x0e\x65nableAutoMtls\x12!\n\x0ctrust_domain\x18\x1a \x01(\tR\x0btrustDomain\x12\x30\n\x14trust_domain_aliases\x18. \x03(\tR\x12trustDomainAliases\x12X\n\x0f\x63\x61_certificates\x18: \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.CertificateDataR\x0e\x63\x61\x43\x65rtificates\x12\x39\n\x19\x64\x65\x66\x61ult_service_export_to\x18\x1f \x03(\tR\x16\x64\x65\x66\x61ultServiceExportTo\x12H\n!default_virtual_service_export_to\x18 \x03(\tR\x1d\x64\x65\x66\x61ultVirtualServiceExportTo\x12J\n\"default_destination_rule_export_to\x18! \x03(\tR\x1e\x64\x65\x66\x61ultDestinationRuleExportTo\x12%\n\x0eroot_namespace\x18\" \x01(\tR\rrootNamespace\x12\x66\n\x13locality_lb_setting\x18# \x01(\x0b\x32\x36.istio.networking.v1alpha3.LocalityLoadBalancerSettingR\x11localityLbSetting\x12\x43\n\x10\x64ns_refresh_rate\x18$ \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x64nsRefreshRate\x12[\n\x11h2_upgrade_policy\x18) \x01(\x0e\x32/.istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicyR\x0fh2UpgradePolicy\x12\x39\n\x19inbound_cluster_stat_name\x18, \x01(\tR\x16inboundClusterStatName\x12;\n\x1aoutbound_cluster_stat_name\x18- \x01(\tR\x17outboundClusterStatName\x12\x44\n\x0c\x63\x65rtificates\x18/ \x03(\x0b\x32 .istio.mesh.v1alpha1.CertificateR\x0c\x63\x65rtificates\x12Q\n\rthrift_config\x18\x31 \x01(\x0b\x32,.istio.mesh.v1alpha1.MeshConfig.ThriftConfigR\x0cthriftConfig\x12Z\n\x10service_settings\x18\x32 \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12R\n\x17\x65nable_prometheus_merge\x18\x33 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x15\x65nablePrometheusMerge\x12[\n\x1cverify_certificate_at_client\x18\x36 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x19verifyCertificateAtClient\x12\x32\n\x02\x63\x61\x18\x37 \x01(\x0b\x32\".istio.mesh.v1alpha1.MeshConfig.CAR\x02\x63\x61\x12\x62\n\x13\x65xtension_providers\x18\x39 \x03(\x0b\x32\x31.istio.mesh.v1alpha1.MeshConfig.ExtensionProviderR\x12\x65xtensionProviders\x12]\n\x11\x64\x65\x66\x61ult_providers\x18< \x01(\x0b\x32\x30.istio.mesh.v1alpha1.MeshConfig.DefaultProvidersR\x10\x64\x65\x66\x61ultProviders\x12\x64\n\x13\x64iscovery_selectors\x18; \x03(\x0b\x32\x33.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x12\x64iscoverySelectors\x1a\xad\x01\n\x15OutboundTrafficPolicy\x12N\n\x04mode\x18\x01 \x01(\x0e\x32:.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.ModeR\x04mode\"D\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01\"\x04\x08\x02\x10\x02*\x14VIRTUAL_SERVICE_ONLY\x1a\x8c\x01\n\x0f\x43\x65rtificateData\x12\x12\n\x03pem\x18\x01 \x01(\tH\x00R\x03pem\x12,\n\x11spiffe_bundle_url\x18\x02 \x01(\tH\x00R\x0fspiffeBundleUrl\x12#\n\rtrust_domains\x18\x03 \x03(\tR\x0ctrustDomainsB\x12\n\x10\x63\x65rtificate_data\x1a}\n\x0cThriftConfig\x12$\n\x0erate_limit_url\x18\x01 \x01(\tR\x0crateLimitUrl\x12G\n\x12rate_limit_timeout\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x10rateLimitTimeout\x1a\xae\x01\n\x0fServiceSettings\x12T\n\x08settings\x18\x01 \x01(\x0b\x32\x38.istio.mesh.v1alpha1.MeshConfig.ServiceSettings.SettingsR\x08settings\x12\x14\n\x05hosts\x18\x02 \x03(\tR\x05hosts\x1a/\n\x08Settings\x12#\n\rcluster_local\x18\x01 \x01(\x08R\x0c\x63lusterLocal\x1a\xd4\x01\n\x02\x43\x41\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12\x42\n\x0frequest_timeout\x18\x03 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0erequestTimeout\x12\x1f\n\x0bistiod_side\x18\x04 \x01(\x08R\nistiodSide\x1a\xa0\x13\n\x11\x45xtensionProvider\x12\x12\n\x04name\x18\x01 \x01(\tR\x04name\x12\x8b\x01\n\x14\x65nvoy_ext_authz_http\x18\x02 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProviderH\x00R\x11\x65nvoyExtAuthzHttp\x12\x8b\x01\n\x14\x65nvoy_ext_authz_grpc\x18\x03 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProviderH\x00R\x11\x65nvoyExtAuthzGrpc\x12\x61\n\x06zipkin\x18\x04 \x01(\x0b\x32G.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProviderH\x00R\x06zipkin\x12j\n\tlightstep\x18\x05 \x01(\x0b\x32J.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProviderH\x00R\tlightstep\x12\x64\n\x07\x64\x61tadog\x18\x06 \x01(\x0b\x32H.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProviderH\x00R\x07\x64\x61tadog\x12i\n\x0bstackdriver\x18\x07 \x01(\x0b\x32\x45.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProviderH\x00R\x0bstackdriver\x12r\n\nopencensus\x18\x08 \x01(\x0b\x32P.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProviderH\x00R\nopencensus\x1a\xf7\x02\n&EnvoyExternalAuthorizationHttpProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1f\n\x0bpath_prefix\x18\x03 \x01(\tR\npathPrefix\x12\x1b\n\tfail_open\x18\x04 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x05 \x01(\tR\rstatusOnError\x12\x37\n\x18include_headers_in_check\x18\x06 \x03(\tR\x15includeHeadersInCheck\x12>\n\x1cheaders_to_upstream_on_allow\x18\x07 \x03(\tR\x18headersToUpstreamOnAllow\x12@\n\x1dheaders_to_downstream_on_deny\x18\x08 \x03(\tR\x19headersToDownstreamOnDeny\x1a\x9b\x01\n&EnvoyExternalAuthorizationGrpcProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1b\n\tfail_open\x18\x03 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x04 \x01(\tR\rstatusOnError\x1ak\n\x15ZipkinTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12$\n\x0emax_tag_length\x18\x03 \x01(\rR\x0cmaxTagLength\x1a\x91\x01\n\x18LightstepTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12!\n\x0c\x61\x63\x63\x65ss_token\x18\x03 \x01(\tR\x0b\x61\x63\x63\x65ssToken\x12$\n\x0emax_tag_length\x18\x04 \x01(\rR\x0cmaxTagLength\x1al\n\x16\x44\x61tadogTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12$\n\x0emax_tag_length\x18\x03 \x01(\rR\x0cmaxTagLength\x1a\xdc\x02\n\x13StackdriverProvider\x12\x14\n\x05\x64\x65\x62ug\x18\x01 \x01(\x08R\x05\x64\x65\x62ug\x12T\n\x18max_number_of_attributes\x18\x02 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x15maxNumberOfAttributes\x12V\n\x19max_number_of_annotations\x18\x03 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x16maxNumberOfAnnotations\x12[\n\x1cmax_number_of_message_events\x18\x04 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x18maxNumberOfMessageEvents\x12$\n\x0emax_tag_length\x18\x05 \x01(\rR\x0cmaxTagLength\x1a\xd4\x02\n\x1eOpenCensusAgentTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12w\n\x07\x63ontext\x18\x03 \x03(\x0e\x32].istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContextR\x07\x63ontext\x12$\n\x0emax_tag_length\x18\x04 \x01(\rR\x0cmaxTagLength\"e\n\x0cTraceContext\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x15\n\x11W3C_TRACE_CONTEXT\x10\x01\x12\x0c\n\x08GRPC_BIN\x10\x02\x12\x17\n\x13\x43LOUD_TRACE_CONTEXT\x10\x03\x12\x06\n\x02\x42\x33\x10\x04\x42\n\n\x08provider\x1a,\n\x10\x44\x65\x66\x61ultProviders\x12\x18\n\x07tracing\x18\x01 \x01(\tR\x07tracing\"J\n\x15IngressControllerMode\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x07\n\x03OFF\x10\x01\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x02\x12\n\n\x06STRICT\x10\x03\"&\n\nAuthPolicy\x12\x08\n\x04NONE\x10\x00\x12\x0e\n\nMUTUAL_TLS\x10\x01\"\'\n\x11\x41\x63\x63\x65ssLogEncoding\x12\x08\n\x04TEXT\x10\x00\x12\x08\n\x04JSON\x10\x01\"2\n\x0fH2UpgradePolicy\x12\x12\n\x0e\x44O_NOT_UPGRADE\x10\x00\x12\x0b\n\x07UPGRADE\x10\x01J\x04\x08\x01\x10\x02J\x04\x08\x02\x10\x03J\x04\x08\x03\x10\x04J\x04\x08\x30\x10\x31J\x04\x08\x19\x10\x1aJ\x04\x08\x1e\x10\x1fJ\x04\x08\n\x10\x0bJ\x04\x08\x0b\x10\x0cJ\x04\x08\x0f\x10\x10J\x04\x08\x10\x10\x11J\x04\x08\x12\x10\x13J\x04\x08\x13\x10\x14J\x04\x08\x14\x10\x15J\x04\x08\x15\x10\x16J\x04\x08\x17\x10\x18J\x04\x08\x1d\x10\x1eJ\x04\x08\x35\x10\x36J\x04\x08%\x10&J\x04\x08&\x10\'J\x04\x08\'\x10(R\x12mixer_check_serverR\x13mixer_report_serverR\x15\x64isable_policy_checksR\x1a\x64isable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\x0b\x61uth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1f\x65nable_client_side_policy_checkR\x0csds_uds_pathR\x11sds_refresh_delayR\x16\x65nable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14\x64isable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_time\"\xcb\x01\n\x0c\x43onfigSource\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12P\n\x14subscribed_resources\x18\x03 \x03(\x0e\x32\x1d.istio.mesh.v1alpha1.ResourceR\x13subscribedResources\"K\n\x0b\x43\x65rtificate\x12\x1f\n\x0bsecret_name\x18\x01 \x01(\tR\nsecretName\x12\x1b\n\tdns_names\x18\x02 \x03(\tR\x08\x64nsNames* \n\x08Resource\x12\x14\n\x10SERVICE_REGISTRY\x10\x00\x42\x1cZ\x1aistio.io/api/mesh/v1alpha1b\x06proto3') , dependencies=[google_dot_protobuf_dot_duration__pb2.DESCRIPTOR,google_dot_protobuf_dot_wrappers__pb2.DESCRIPTOR,mesh_dot_v1alpha1_dot_proxy__pb2.DESCRIPTOR,networking_dot_v1alpha3_dot_destination__rule__pb2.DESCRIPTOR,k8s_dot_io_dot_apimachinery_dot_pkg_dot_apis_dot_meta_dot_v1_dot_generated__pb2.DESCRIPTOR,]) @@ -43,8 +43,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=7474, - serialized_end=7506, + serialized_start=7476, + serialized_end=7508, ) _sym_db.RegisterEnumDescriptor(_RESOURCE) @@ -103,8 +103,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6290, - serialized_end=6391, + serialized_start=6292, + serialized_end=6393, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_EXTENSIONPROVIDER_OPENCENSUSAGENTTRACINGPROVIDER_TRACECONTEXT) @@ -133,8 +133,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6451, - serialized_end=6525, + serialized_start=6453, + serialized_end=6527, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_INGRESSCONTROLLERMODE) @@ -155,8 +155,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6527, - serialized_end=6565, + serialized_start=6529, + serialized_end=6567, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_AUTHPOLICY) @@ -177,8 +177,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6567, - serialized_end=6606, + serialized_start=6569, + serialized_end=6608, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_ACCESSLOGENCODING) @@ -199,8 +199,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6608, - serialized_end=6658, + serialized_start=6610, + serialized_end=6660, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_H2UPGRADEPOLICY) @@ -258,12 +258,12 @@ is_extension=False, extension_scope=None, serialized_options=None, json_name='spiffeBundleUrl', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='trust_domain', full_name='istio.mesh.v1alpha1.MeshConfig.CertificateData.trust_domain', index=2, - number=3, type=9, cpp_type=9, label=1, - has_default_value=False, default_value=_b("").decode('utf-8'), + name='trust_domains', full_name='istio.mesh.v1alpha1.MeshConfig.CertificateData.trust_domains', index=2, + number=3, type=9, cpp_type=9, label=3, + has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, - serialized_options=None, json_name='trustDomain', file=DESCRIPTOR), + serialized_options=None, json_name='trustDomains', file=DESCRIPTOR), ], extensions=[ ], @@ -280,7 +280,7 @@ index=0, containing_type=None, fields=[]), ], serialized_start=3279, - serialized_end=3417, + serialized_end=3419, ) _MESHCONFIG_THRIFTCONFIG = _descriptor.Descriptor( @@ -316,8 +316,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=3419, - serialized_end=3544, + serialized_start=3421, + serialized_end=3546, ) _MESHCONFIG_SERVICESETTINGS_SETTINGS = _descriptor.Descriptor( @@ -346,8 +346,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=3674, - serialized_end=3721, + serialized_start=3676, + serialized_end=3723, ) _MESHCONFIG_SERVICESETTINGS = _descriptor.Descriptor( @@ -383,8 +383,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=3547, - serialized_end=3721, + serialized_start=3549, + serialized_end=3723, ) _MESHCONFIG_CA = _descriptor.Descriptor( @@ -434,8 +434,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=3724, - serialized_end=3936, + serialized_start=3726, + serialized_end=3938, ) _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER = _descriptor.Descriptor( @@ -513,8 +513,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=4797, - serialized_end=5172, + serialized_start=4799, + serialized_end=5174, ) _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONGRPCPROVIDER = _descriptor.Descriptor( @@ -564,8 +564,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5175, - serialized_end=5330, + serialized_start=5177, + serialized_end=5332, ) _MESHCONFIG_EXTENSIONPROVIDER_ZIPKINTRACINGPROVIDER = _descriptor.Descriptor( @@ -608,8 +608,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5332, - serialized_end=5439, + serialized_start=5334, + serialized_end=5441, ) _MESHCONFIG_EXTENSIONPROVIDER_LIGHTSTEPTRACINGPROVIDER = _descriptor.Descriptor( @@ -659,8 +659,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5442, - serialized_end=5587, + serialized_start=5444, + serialized_end=5589, ) _MESHCONFIG_EXTENSIONPROVIDER_DATADOGTRACINGPROVIDER = _descriptor.Descriptor( @@ -703,8 +703,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5589, - serialized_end=5697, + serialized_start=5591, + serialized_end=5699, ) _MESHCONFIG_EXTENSIONPROVIDER_STACKDRIVERPROVIDER = _descriptor.Descriptor( @@ -761,8 +761,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5700, - serialized_end=6048, + serialized_start=5702, + serialized_end=6050, ) _MESHCONFIG_EXTENSIONPROVIDER_OPENCENSUSAGENTTRACINGPROVIDER = _descriptor.Descriptor( @@ -813,8 +813,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=6051, - serialized_end=6391, + serialized_start=6053, + serialized_end=6393, ) _MESHCONFIG_EXTENSIONPROVIDER = _descriptor.Descriptor( @@ -895,8 +895,8 @@ name='provider', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.provider', index=0, containing_type=None, fields=[]), ], - serialized_start=3939, - serialized_end=6403, + serialized_start=3941, + serialized_end=6405, ) _MESHCONFIG_DEFAULTPROVIDERS = _descriptor.Descriptor( @@ -925,8 +925,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=6405, - serialized_end=6449, + serialized_start=6407, + serialized_end=6451, ) _MESHCONFIG = _descriptor.Descriptor( @@ -1233,7 +1233,7 @@ oneofs=[ ], serialized_start=241, - serialized_end=7189, + serialized_end=7191, ) @@ -1277,8 +1277,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=7192, - serialized_end=7395, + serialized_start=7194, + serialized_end=7397, ) @@ -1315,8 +1315,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=7397, - serialized_end=7472, + serialized_start=7399, + serialized_end=7474, ) _MESHCONFIG_OUTBOUNDTRAFFICPOLICY.fields_by_name['mode'].enum_type = _MESHCONFIG_OUTBOUNDTRAFFICPOLICY_MODE diff --git a/security/v1beta1/authorization_policy.gen.json b/security/v1beta1/authorization_policy.gen.json index e4bfd3b9b52..c1fcb72b0b5 100644 --- a/security/v1beta1/authorization_policy.gen.json +++ b/security/v1beta1/authorization_policy.gen.json @@ -230,7 +230,7 @@ } }, "trustDomains": { - "description": "Optional. A list of trust domains of client certificates. This field requires mTLS enabled.", + "description": "Optional. A list of trust domains of client certificates. If not specified, the default trust domain and its aliases will be used.", "type": "array", "items": { "type": "string", diff --git a/security/v1beta1/authorization_policy.pb.go b/security/v1beta1/authorization_policy.pb.go index fe9755b0204..3883a9cddde 100644 --- a/security/v1beta1/authorization_policy.pb.go +++ b/security/v1beta1/authorization_policy.pb.go @@ -687,7 +687,7 @@ type Source struct { // Optional. A list of negative match of remote IP blocks. NotRemoteIpBlocks []string `protobuf:"bytes,10,rep,name=not_remote_ip_blocks,json=notRemoteIpBlocks,proto3" json:"not_remote_ip_blocks,omitempty"` // Optional. A list of trust domains of client certificates. - // This field requires mTLS enabled. + // If not specified, the default trust domain and its aliases will be used. TrustDomains []string `protobuf:"bytes,11,rep,name=trust_domains,json=trustDomains,proto3" json:"trust_domains,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` diff --git a/security/v1beta1/authorization_policy.pb.html b/security/v1beta1/authorization_policy.pb.html index 54545c20ac2..f99bf40ae1b 100644 --- a/security/v1beta1/authorization_policy.pb.html +++ b/security/v1beta1/authorization_policy.pb.html @@ -487,7 +487,7 @@

Source

string[]

Optional. A list of trust domains of client certificates. -This field requires mTLS enabled.

+If not specified, the default trust domain and its aliases will be used.

diff --git a/security/v1beta1/authorization_policy.proto b/security/v1beta1/authorization_policy.proto index 42d14526a51..89b511c7b3e 100644 --- a/security/v1beta1/authorization_policy.proto +++ b/security/v1beta1/authorization_policy.proto @@ -412,7 +412,7 @@ message Source { repeated string not_remote_ip_blocks = 10; // Optional. A list of trust domains of client certificates. - // This field requires mTLS enabled. + // If not specified, the default trust domain and its aliases will be used. repeated string trust_domains = 11; } From 27e2de5d6c4f97ed0c5f8c7d30db397a448b1a30 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 30 Mar 2021 10:00:02 +0900 Subject: [PATCH 3/6] Fix typo Signed-off-by: Takeshi Yoneda --- mesh/v1alpha1/config.pb.go | 2 +- mesh/v1alpha1/config.proto | 2 +- mesh/v1alpha1/istio.mesh.v1alpha1.gen.json | 2 +- mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/mesh/v1alpha1/config.pb.go b/mesh/v1alpha1/config.pb.go index 631dd671e7a..74e89d65ef2 100644 --- a/mesh/v1alpha1/config.pb.go +++ b/mesh/v1alpha1/config.pb.go @@ -899,7 +899,7 @@ type MeshConfig_CertificateData struct { // *MeshConfig_CertificateData_SpiffeBundleUrl CertificateData isMeshConfig_CertificateData_CertificateData `protobuf_oneof:"certificate_data"` // Optional. Specify the list of trust domains to which this certificate data belongs. - // If set, they are used for this root CA, otherwise, this root CA ise used for default trust domain + // If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain // and its aliases. TrustDomains []string `protobuf:"bytes,3,rep,name=trust_domains,json=trustDomains,proto3" json:"trustDomains,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` diff --git a/mesh/v1alpha1/config.proto b/mesh/v1alpha1/config.proto index 583667a6e24..14ed6ea00d0 100644 --- a/mesh/v1alpha1/config.proto +++ b/mesh/v1alpha1/config.proto @@ -224,7 +224,7 @@ message MeshConfig { } // Optional. Specify the list of trust domains to which this certificate data belongs. - // If set, they are used for this root CA, otherwise, this root CA ise used for default trust domain + // If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain // and its aliases. repeated string trust_domains = 3; } diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json index 41c876b592c..879bf9e0f99 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json @@ -413,7 +413,7 @@ "type": "object", "properties": { "trustDomains": { - "description": "Optional. Specify the list of trust domains to which this certificate data belongs. If set, they are used for this root CA, otherwise, this root CA ise used for default trust domain and its aliases.", + "description": "Optional. Specify the list of trust domains to which this certificate data belongs. If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain and its aliases.", "type": "array", "items": { "type": "string", diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index 8f96775973f..a8716f0fdab 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -826,7 +826,7 @@

MeshConfig.CertificateData

string[]

Optional. Specify the list of trust domains to which this certificate data belongs. -If set, they are used for this root CA, otherwise, this root CA ise used for default trust domain +If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain and its aliases.

From eeb68137c44bb186caa44ec221373c95c5eea704 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 30 Mar 2021 10:13:41 +0900 Subject: [PATCH 4/6] Add comments about multiple cert data with a same trust_domain Signed-off-by: Takeshi Yoneda --- mesh/v1alpha1/config.pb.go | 2 ++ mesh/v1alpha1/config.proto | 2 ++ mesh/v1alpha1/istio.mesh.v1alpha1.gen.json | 2 +- mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 4 +++- 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/mesh/v1alpha1/config.pb.go b/mesh/v1alpha1/config.pb.go index 74e89d65ef2..74d8110272e 100644 --- a/mesh/v1alpha1/config.pb.go +++ b/mesh/v1alpha1/config.pb.go @@ -901,6 +901,8 @@ type MeshConfig_CertificateData struct { // Optional. Specify the list of trust domains to which this certificate data belongs. // If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain // and its aliases. + // Note that we can have multiple certificate data for a same trust_domain. + // In that case, certificates with a same trust domain will be merged and used together to verify peer certificates. TrustDomains []string `protobuf:"bytes,3,rep,name=trust_domains,json=trustDomains,proto3" json:"trustDomains,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` diff --git a/mesh/v1alpha1/config.proto b/mesh/v1alpha1/config.proto index 14ed6ea00d0..5917ef115b4 100644 --- a/mesh/v1alpha1/config.proto +++ b/mesh/v1alpha1/config.proto @@ -226,6 +226,8 @@ message MeshConfig { // Optional. Specify the list of trust domains to which this certificate data belongs. // If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain // and its aliases. + // Note that we can have multiple certificate data for a same trust_domain. + // In that case, certificates with a same trust domain will be merged and used together to verify peer certificates. repeated string trust_domains = 3; } diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json index 879bf9e0f99..81d071d753d 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.gen.json @@ -413,7 +413,7 @@ "type": "object", "properties": { "trustDomains": { - "description": "Optional. Specify the list of trust domains to which this certificate data belongs. If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain and its aliases.", + "description": "Optional. Specify the list of trust domains to which this certificate data belongs. If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain and its aliases. Note that we can have multiple certificate data for a same trust_domain. In that case, certificates with a same trust domain will be merged and used together to verify peer certificates.", "type": "array", "items": { "type": "string", diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index a8716f0fdab..07d184424e4 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -827,7 +827,9 @@

MeshConfig.CertificateData

Optional. Specify the list of trust domains to which this certificate data belongs. If set, they are used for this root CA. Otherwise, this root CA is used for default trust domain -and its aliases.

+and its aliases. +Note that we can have multiple certificate data for a same trust_domain. +In that case, certificates with a same trust domain will be merged and used together to verify peer certificates.

From dd2a7c1dc8491ae6a3a0560af7cb5b7aed177d34 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 30 Mar 2021 10:17:57 +0900 Subject: [PATCH 5/6] fix comment: client -> peer Signed-off-by: Takeshi Yoneda --- security/v1beta1/authorization_policy.gen.json | 2 +- security/v1beta1/authorization_policy.pb.go | 2 +- security/v1beta1/authorization_policy.pb.html | 2 +- security/v1beta1/authorization_policy.proto | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/v1beta1/authorization_policy.gen.json b/security/v1beta1/authorization_policy.gen.json index c1fcb72b0b5..81f03cf966e 100644 --- a/security/v1beta1/authorization_policy.gen.json +++ b/security/v1beta1/authorization_policy.gen.json @@ -230,7 +230,7 @@ } }, "trustDomains": { - "description": "Optional. A list of trust domains of client certificates. If not specified, the default trust domain and its aliases will be used.", + "description": "Optional. A list of trust domains of peer certificates. If not specified, the default trust domain and its aliases will be used.", "type": "array", "items": { "type": "string", diff --git a/security/v1beta1/authorization_policy.pb.go b/security/v1beta1/authorization_policy.pb.go index 3883a9cddde..a76f4663a9e 100644 --- a/security/v1beta1/authorization_policy.pb.go +++ b/security/v1beta1/authorization_policy.pb.go @@ -686,7 +686,7 @@ type Source struct { RemoteIpBlocks []string `protobuf:"bytes,9,rep,name=remote_ip_blocks,json=remoteIpBlocks,proto3" json:"remote_ip_blocks,omitempty"` // Optional. A list of negative match of remote IP blocks. NotRemoteIpBlocks []string `protobuf:"bytes,10,rep,name=not_remote_ip_blocks,json=notRemoteIpBlocks,proto3" json:"not_remote_ip_blocks,omitempty"` - // Optional. A list of trust domains of client certificates. + // Optional. A list of trust domains of peer certificates. // If not specified, the default trust domain and its aliases will be used. TrustDomains []string `protobuf:"bytes,11,rep,name=trust_domains,json=trustDomains,proto3" json:"trust_domains,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` diff --git a/security/v1beta1/authorization_policy.pb.html b/security/v1beta1/authorization_policy.pb.html index f99bf40ae1b..3aa045a6c40 100644 --- a/security/v1beta1/authorization_policy.pb.html +++ b/security/v1beta1/authorization_policy.pb.html @@ -486,7 +486,7 @@

Source

trustDomains string[] -

Optional. A list of trust domains of client certificates. +

Optional. A list of trust domains of peer certificates. If not specified, the default trust domain and its aliases will be used.

diff --git a/security/v1beta1/authorization_policy.proto b/security/v1beta1/authorization_policy.proto index 89b511c7b3e..3472507cf57 100644 --- a/security/v1beta1/authorization_policy.proto +++ b/security/v1beta1/authorization_policy.proto @@ -411,7 +411,7 @@ message Source { // Optional. A list of negative match of remote IP blocks. repeated string not_remote_ip_blocks = 10; - // Optional. A list of trust domains of client certificates. + // Optional. A list of trust domains of peer certificates. // If not specified, the default trust domain and its aliases will be used. repeated string trust_domains = 11; } From b6494ea6e38c4f085ea4281039f7b8f28f077615 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 5 Apr 2021 09:11:01 +0900 Subject: [PATCH 6/6] re make Signed-off-by: Takeshi Yoneda --- mesh/v1alpha1/config.pb.go | 1270 ++++++++++++++---- python/istio_api/mesh/v1alpha1/config_pb2.py | 237 +++- 2 files changed, 1211 insertions(+), 296 deletions(-) diff --git a/mesh/v1alpha1/config.pb.go b/mesh/v1alpha1/config.pb.go index 74d8110272e..0f79aa82776 100644 --- a/mesh/v1alpha1/config.pb.go +++ b/mesh/v1alpha1/config.pb.go @@ -252,7 +252,7 @@ func (x MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider_TraceContext } func (MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider_TraceContext) EnumDescriptor() ([]byte, []int) { - return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 6, 0} + return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 7, 0} } // MeshConfig defines mesh-wide settings for the Istio service mesh. @@ -1441,6 +1441,86 @@ func (*MeshConfig_ExtensionProvider) XXX_OneofWrappers() []interface{} { } } +type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody struct { + // Sets the maximum size of a message body that the ext-authz filter will hold in memory. + // If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + // Otherwise the request will be sent to the provider with a partial message. + // Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the + // fail_open is set to true. + MaxRequestBytes uint32 `protobuf:"varint,1,opt,name=max_request_bytes,json=maxRequestBytes,proto3" json:"maxRequestBytes,omitempty"` + // When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + // The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. + // A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message + // indicating if the body data is partial. + AllowPartialMessage bool `protobuf:"varint,2,opt,name=allow_partial_message,json=allowPartialMessage,proto3" json:"allowPartialMessage,omitempty"` + // If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes + // in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). + // Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). + // This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + PackAsBytes bool `protobuf:"varint,3,opt,name=pack_as_bytes,json=packAsBytes,proto3" json:"packAsBytes,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) Reset() { + *m = MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody{} +} +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) String() string { + return proto.CompactTextString(m) +} +func (*MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) ProtoMessage() {} +func (*MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) Descriptor() ([]byte, []int) { + return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 0} +} +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) XXX_Merge(src proto.Message) { + xxx_messageInfo_MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody.Merge(m, src) +} +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) XXX_Size() int { + return m.Size() +} +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) XXX_DiscardUnknown() { + xxx_messageInfo_MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody.DiscardUnknown(m) +} + +var xxx_messageInfo_MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody proto.InternalMessageInfo + +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) GetMaxRequestBytes() uint32 { + if m != nil { + return m.MaxRequestBytes + } + return 0 +} + +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) GetAllowPartialMessage() bool { + if m != nil { + return m.AllowPartialMessage + } + return false +} + +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) GetPackAsBytes() bool { + if m != nil { + return m.PackAsBytes + } + return false +} + type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider struct { // REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. // The format is "[/]". The specification of is required only when it is insufficient @@ -1451,6 +1531,10 @@ type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider struct Service string `protobuf:"bytes,1,opt,name=service,proto3" json:"service,omitempty"` // REQUIRED. Specifies the port of the service. Port uint32 `protobuf:"varint,2,opt,name=port,proto3" json:"port,omitempty"` + // The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). + // When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + // In this situation, the response sent back to the client will depend on the configured `fail_open` field. + Timeout *types.Duration `protobuf:"bytes,9,opt,name=timeout,proto3" json:"timeout,omitempty"` // Sets a prefix to the value of authorization request header *Path*. // For example, setting this to "/check" for an original user request at path "/admin" will cause the // authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". @@ -1462,15 +1546,37 @@ type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider struct // Sets the HTTP status that is returned to the client when there is a network error to the authorization service. // The default status is "403" (HTTP Forbidden). StatusOnError string `protobuf:"bytes,5,opt,name=status_on_error,json=statusOnError,proto3" json:"statusOnError,omitempty"` - // List of headers that should be included in the authorization request sent to the authorization service. - // Note that in addition to the headers supplied by users: - // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. - // 2. *Content-Length* will be set to 0 and the request will not have a message body. + // DEPRECATED. Use include_request_headers_in_check instead. IncludeHeadersInCheck []string `protobuf:"bytes,6,rep,name=include_headers_in_check,json=includeHeadersInCheck,proto3" json:"includeHeadersInCheck,omitempty"` + // List of client request headers that should be included in the authorization request sent to the authorization service. + // Note that in addition to the headers specified here following headers are included by default: + // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. + // 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization + // request can include the buffered client request body (controlled by include_request_body_in_check setting), + // consequently the value of Content-Length of the authorization request reflects the size of its payload size. + // + // Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match + // https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): + // - Exact match: "abc" will match on value "abc". + // - Prefix match: "abc*" will match on value "abc" and "abcd". + // - Suffix match: "*abc" will match on value "abc" and "xabc". + IncludeRequestHeadersInCheck []string `protobuf:"bytes,10,rep,name=include_request_headers_in_check,json=includeRequestHeadersInCheck,proto3" json:"includeRequestHeadersInCheck,omitempty"` + // Set of additional fixed headers that should be included in the authorization request sent to the authorization service. + // Key is the header name and value is the header value. + // Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + IncludeAdditionalHeadersInCheck map[string]string `protobuf:"bytes,11,rep,name=include_additional_headers_in_check,json=includeAdditionalHeadersInCheck,proto3" json:"includeAdditionalHeadersInCheck,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + // If set, the client request body will be included in the authorization request sent to the authorization service. + IncludeRequestBodyInCheck *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody `protobuf:"bytes,12,opt,name=include_request_body_in_check,json=includeRequestBodyInCheck,proto3" json:"includeRequestBodyInCheck,omitempty"` // List of headers from the authorization service that should be added or overridden in the original request and // forwarded to the upstream when the authorization check result is allowed (HTTP code 200). // If not specified, the original request will not be modified and forwarded to backend as-is. // Note, any existing headers will be overridden. + // + // Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match + // https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): + // - Exact match: "abc" will match on value "abc". + // - Prefix match: "abc*" will match on value "abc" and "abcd". + // - Suffix match: "*abc" will match on value "abc" and "xabc". HeadersToUpstreamOnAllow []string `protobuf:"bytes,7,rep,name=headers_to_upstream_on_allow,json=headersToUpstreamOnAllow,proto3" json:"headersToUpstreamOnAllow,omitempty"` // List of headers from the authorization service that should be forwarded to downstream when the authorization // check result is not allowed (HTTP code other than 200). @@ -1479,6 +1585,12 @@ type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider struct // When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are // automatically added. // Note, the body from the authorization service is always included in the response to downstream. + // + // Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match + // https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): + // - Exact match: "abc" will match on value "abc". + // - Prefix match: "abc*" will match on value "abc" and "abcd". + // - Suffix match: "*abc" will match on value "abc" and "xabc". HeadersToDownstreamOnDeny []string `protobuf:"bytes,8,rep,name=headers_to_downstream_on_deny,json=headersToDownstreamOnDeny,proto3" json:"headersToDownstreamOnDeny,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -1493,7 +1605,7 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) St } func (*MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) ProtoMessage() {} func (*MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Descriptor() ([]byte, []int) { - return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 0} + return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 1} } func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1536,6 +1648,13 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Ge return 0 } +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) GetTimeout() *types.Duration { + if m != nil { + return m.Timeout + } + return nil +} + func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) GetPathPrefix() string { if m != nil { return m.PathPrefix @@ -1564,6 +1683,27 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Ge return nil } +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) GetIncludeRequestHeadersInCheck() []string { + if m != nil { + return m.IncludeRequestHeadersInCheck + } + return nil +} + +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) GetIncludeAdditionalHeadersInCheck() map[string]string { + if m != nil { + return m.IncludeAdditionalHeadersInCheck + } + return nil +} + +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) GetIncludeRequestBodyInCheck() *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody { + if m != nil { + return m.IncludeRequestBodyInCheck + } + return nil +} + func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) GetHeadersToUpstreamOnAllow() []string { if m != nil { return m.HeadersToUpstreamOnAllow @@ -1588,16 +1728,22 @@ type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider struct Service string `protobuf:"bytes,1,opt,name=service,proto3" json:"service,omitempty"` // REQUIRED. Specifies the port of the service. Port uint32 `protobuf:"varint,2,opt,name=port,proto3" json:"port,omitempty"` - // If true, the user request will be allowed even if the communication with the authorization service has failed, + // The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). + // When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + // In this situation, the response sent back to the client will depend on the configured `fail_open` field. + Timeout *types.Duration `protobuf:"bytes,5,opt,name=timeout,proto3" json:"timeout,omitempty"` + // If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, // or if the authorization service has returned a HTTP 5xx error. - // Default is false and the request will be rejected with "Forbidden" response. + // Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. FailOpen bool `protobuf:"varint,3,opt,name=fail_open,json=failOpen,proto3" json:"failOpen,omitempty"` // Sets the HTTP status that is returned to the client when there is a network error to the authorization service. // The default status is "403" (HTTP Forbidden). - StatusOnError string `protobuf:"bytes,4,opt,name=status_on_error,json=statusOnError,proto3" json:"statusOnError,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + StatusOnError string `protobuf:"bytes,4,opt,name=status_on_error,json=statusOnError,proto3" json:"statusOnError,omitempty"` + // If set, the client request body will be included in the authorization request sent to the authorization service. + IncludeRequestBodyInCheck *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody `protobuf:"bytes,6,opt,name=include_request_body_in_check,json=includeRequestBodyInCheck,proto3" json:"includeRequestBodyInCheck,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) Reset() { @@ -1608,7 +1754,7 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) St } func (*MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) ProtoMessage() {} func (*MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) Descriptor() ([]byte, []int) { - return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 1} + return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 2} } func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1651,6 +1797,13 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) Ge return 0 } +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) GetTimeout() *types.Duration { + if m != nil { + return m.Timeout + } + return nil +} + func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) GetFailOpen() bool { if m != nil { return m.FailOpen @@ -1665,6 +1818,13 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) Ge return "" } +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) GetIncludeRequestBodyInCheck() *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody { + if m != nil { + return m.IncludeRequestBodyInCheck + } + return nil +} + // Defines configuration for a Zipkin tracer. type MeshConfig_ExtensionProvider_ZipkinTracingProvider struct { // REQUIRED. Specifies the service that the Zipkin API. @@ -1692,7 +1852,7 @@ func (m *MeshConfig_ExtensionProvider_ZipkinTracingProvider) String() string { } func (*MeshConfig_ExtensionProvider_ZipkinTracingProvider) ProtoMessage() {} func (*MeshConfig_ExtensionProvider_ZipkinTracingProvider) Descriptor() ([]byte, []int) { - return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 2} + return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 3} } func (m *MeshConfig_ExtensionProvider_ZipkinTracingProvider) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1771,7 +1931,7 @@ func (m *MeshConfig_ExtensionProvider_LightstepTracingProvider) String() string } func (*MeshConfig_ExtensionProvider_LightstepTracingProvider) ProtoMessage() {} func (*MeshConfig_ExtensionProvider_LightstepTracingProvider) Descriptor() ([]byte, []int) { - return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 3} + return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 4} } func (m *MeshConfig_ExtensionProvider_LightstepTracingProvider) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1855,7 +2015,7 @@ func (m *MeshConfig_ExtensionProvider_DatadogTracingProvider) String() string { } func (*MeshConfig_ExtensionProvider_DatadogTracingProvider) ProtoMessage() {} func (*MeshConfig_ExtensionProvider_DatadogTracingProvider) Descriptor() ([]byte, []int) { - return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 4} + return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 5} } func (m *MeshConfig_ExtensionProvider_DatadogTracingProvider) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1938,7 +2098,7 @@ func (m *MeshConfig_ExtensionProvider_StackdriverProvider) String() string { } func (*MeshConfig_ExtensionProvider_StackdriverProvider) ProtoMessage() {} func (*MeshConfig_ExtensionProvider_StackdriverProvider) Descriptor() ([]byte, []int) { - return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 5} + return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 6} } func (m *MeshConfig_ExtensionProvider_StackdriverProvider) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2034,7 +2194,7 @@ func (m *MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider) String() s } func (*MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider) ProtoMessage() {} func (*MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider) Descriptor() ([]byte, []int) { - return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 6} + return fileDescriptor_b5c7ece76d5d5022, []int{0, 5, 7} } func (m *MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2310,7 +2470,9 @@ func init() { proto.RegisterType((*MeshConfig_ServiceSettings_Settings)(nil), "istio.mesh.v1alpha1.MeshConfig.ServiceSettings.Settings") proto.RegisterType((*MeshConfig_CA)(nil), "istio.mesh.v1alpha1.MeshConfig.CA") proto.RegisterType((*MeshConfig_ExtensionProvider)(nil), "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider") + proto.RegisterType((*MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody)(nil), "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody") proto.RegisterType((*MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider)(nil), "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider") + proto.RegisterMapType((map[string]string)(nil), "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.IncludeAdditionalHeadersInCheckEntry") proto.RegisterType((*MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider)(nil), "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider") proto.RegisterType((*MeshConfig_ExtensionProvider_ZipkinTracingProvider)(nil), "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider") proto.RegisterType((*MeshConfig_ExtensionProvider_LightstepTracingProvider)(nil), "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider") @@ -2325,191 +2487,205 @@ func init() { func init() { proto.RegisterFile("mesh/v1alpha1/config.proto", fileDescriptor_b5c7ece76d5d5022) } var fileDescriptor_b5c7ece76d5d5022 = []byte{ - // 2932 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x59, 0x4f, 0x73, 0x1b, 0x37, - 0x96, 0x37, 0x29, 0xda, 0x6a, 0x81, 0xa4, 0xd4, 0x82, 0xfe, 0xb8, 0x4d, 0xc7, 0xb2, 0xac, 0xc4, - 0xb6, 0xe2, 0xf5, 0x52, 0xb1, 0x9c, 0x38, 0x4e, 0xb2, 0xb5, 0xb5, 0x14, 0x49, 0x5b, 0x62, 0x68, - 0x51, 0xdb, 0xa2, 0x9c, 0x7f, 0x95, 0x42, 0x41, 0xdd, 0x20, 0xd9, 0x51, 0xb3, 0xd1, 0x0b, 0xa0, - 0x65, 0xc9, 0x55, 0xfb, 0x09, 0x76, 0x2f, 0x7b, 0xde, 0xcb, 0x9c, 0xe6, 0x36, 0xf3, 0x39, 0xa6, - 0x6a, 0x2e, 0x73, 0xc8, 0x71, 0x0e, 0x53, 0xf9, 0x12, 0x73, 0x9d, 0xc2, 0x9f, 0x26, 0x5b, 0x12, - 0x63, 0x45, 0x53, 0x99, 0xb9, 0x11, 0x0f, 0xef, 0xf7, 0x7b, 0xc0, 0x6b, 0xe0, 0x3d, 0xbc, 0x47, - 0x50, 0x19, 0x12, 0x3e, 0xd8, 0x38, 0x7e, 0x82, 0xc3, 0x78, 0x80, 0x9f, 0x6c, 0x78, 0x34, 0xea, - 0x05, 0xfd, 0x6a, 0xcc, 0xa8, 0xa0, 0x70, 0x21, 0xe0, 0x22, 0xa0, 0x55, 0xa9, 0x51, 0x4d, 0x35, - 0x2a, 0x2b, 0x7d, 0x4a, 0xfb, 0x21, 0xd9, 0x50, 0x2a, 0x87, 0x49, 0x6f, 0xc3, 0x4f, 0x18, 0x16, - 0x01, 0x8d, 0x34, 0xe8, 0xe2, 0xfc, 0x1b, 0x86, 0xe3, 0x98, 0x30, 0x6e, 0xe6, 0x6f, 0x9d, 0x35, - 0x18, 0x33, 0x7a, 0x72, 0x6a, 0xa6, 0x1e, 0x45, 0x44, 0xbc, 0xa1, 0xec, 0x28, 0x88, 0xfa, 0xa9, - 0xc2, 0xd3, 0x0d, 0x9f, 0x70, 0x11, 0x44, 0xca, 0x02, 0x62, 0x49, 0x48, 0x8c, 0xee, 0xc7, 0x47, - 0xcf, 0x79, 0x35, 0xa0, 0x1b, 0x38, 0x0e, 0x86, 0xd8, 0x1b, 0x04, 0x11, 0x61, 0xa7, 0x1b, 0xf1, - 0x51, 0x5f, 0x0a, 0xf8, 0xc6, 0x90, 0x08, 0xbc, 0x71, 0xfc, 0x64, 0xa3, 0x4f, 0x22, 0xc2, 0xb0, - 0x20, 0xbe, 0x46, 0xad, 0xfd, 0xf6, 0x19, 0x00, 0xaf, 0x08, 0x1f, 0xd4, 0xd5, 0x36, 0xe1, 0x23, - 0x30, 0xaf, 0xec, 0xa3, 0x30, 0xe0, 0x82, 0x44, 0x28, 0xa6, 0x4c, 0x38, 0x85, 0xd5, 0xdc, 0xfa, - 0x75, 0x77, 0x4e, 0x4d, 0xb4, 0x95, 0x7c, 0x8f, 0x32, 0x01, 0x1f, 0x00, 0x2d, 0x42, 0x03, 0x21, - 0x62, 0xad, 0x79, 0x5d, 0x69, 0x96, 0x95, 0x78, 0x5b, 0x88, 0x58, 0xe9, 0x6d, 0x81, 0x39, 0x8f, - 0x46, 0x11, 0xf1, 0x04, 0x12, 0xc1, 0x90, 0xd0, 0x44, 0x38, 0x37, 0x56, 0x73, 0xeb, 0xc5, 0xcd, - 0x5b, 0x55, 0xed, 0x99, 0x6a, 0xea, 0x99, 0x6a, 0xc3, 0x78, 0xce, 0x9d, 0x35, 0x88, 0xae, 0x06, - 0xc0, 0xaf, 0x40, 0x45, 0x29, 0x79, 0x34, 0x44, 0x3e, 0x11, 0xc4, 0x53, 0xbb, 0x4f, 0xe9, 0x1e, - 0x5d, 0x46, 0xe7, 0xa4, 0xe0, 0x46, 0x8a, 0x4d, 0x89, 0x29, 0x28, 0x0b, 0x2f, 0x46, 0x47, 0x84, - 0xc4, 0x38, 0x0c, 0x8e, 0x89, 0xf3, 0x9e, 0xe2, 0x6a, 0x55, 0xf5, 0x97, 0x1e, 0xfb, 0x3f, 0xfd, - 0xde, 0x4f, 0xab, 0x75, 0xbd, 0xb4, 0x80, 0x46, 0x7b, 0x94, 0x86, 0xfb, 0x44, 0x88, 0x20, 0xea, - 0xf3, 0x6a, 0xb7, 0xbe, 0x37, 0xfe, 0xed, 0xc5, 0x5f, 0xa6, 0x8c, 0x6e, 0x49, 0x64, 0x46, 0xf0, - 0x7d, 0x50, 0x0e, 0xa2, 0x3e, 0x23, 0x9c, 0x23, 0x2f, 0xc4, 0x9c, 0x3b, 0xd3, 0xab, 0xb9, 0xf5, - 0x19, 0xb7, 0x64, 0x84, 0x75, 0x29, 0x83, 0x0f, 0xc1, 0x5c, 0xaa, 0xc4, 0x09, 0x3b, 0x0e, 0x3c, - 0xe2, 0x58, 0x4a, 0x6d, 0xd6, 0x88, 0xf7, 0xb5, 0x14, 0x0e, 0xc1, 0xcd, 0x11, 0x1b, 0x8d, 0x04, - 0xa3, 0x61, 0x48, 0x18, 0x1a, 0x52, 0x9f, 0x38, 0x33, 0xab, 0xb9, 0xf5, 0xd9, 0xcd, 0x4f, 0xaa, - 0x13, 0x8e, 0x6c, 0x75, 0xfc, 0xc5, 0xab, 0x3b, 0xc6, 0xee, 0x08, 0xfd, 0x8a, 0xfa, 0xc4, 0x5d, - 0x0a, 0x26, 0x89, 0xe1, 0x87, 0xc0, 0x1e, 0xaf, 0x2b, 0x24, 0x9e, 0xa0, 0xcc, 0xf9, 0x58, 0x2d, - 0x6c, 0x6e, 0xb4, 0x30, 0x2d, 0x86, 0xf7, 0xc1, 0x2c, 0x89, 0xf0, 0x61, 0x48, 0x90, 0x60, 0xd8, - 0x0b, 0xa2, 0xbe, 0x53, 0x5a, 0xcd, 0xad, 0x5b, 0x6e, 0x59, 0x4b, 0xbb, 0x5a, 0x28, 0x0f, 0x11, - 0xf6, 0x3c, 0x49, 0x18, 0xd2, 0x3e, 0xea, 0x05, 0x21, 0x71, 0xca, 0x8a, 0xb0, 0xac, 0xc5, 0x6d, - 0xda, 0x7f, 0x11, 0x84, 0x44, 0x1e, 0xcc, 0xac, 0x1e, 0x65, 0x43, 0x2c, 0x1c, 0x47, 0x9b, 0x1e, - 0x6b, 0x2a, 0x31, 0xc4, 0x60, 0x21, 0xa3, 0x4b, 0x22, 0x8f, 0xfa, 0xd2, 0xfe, 0x6d, 0xe5, 0x90, - 0x27, 0x97, 0x39, 0xa4, 0x96, 0xb2, 0x35, 0x0d, 0xd0, 0x9d, 0xc7, 0xe7, 0x45, 0xb0, 0x01, 0xee, - 0x9a, 0xdd, 0x91, 0xe8, 0x98, 0x9e, 0xa2, 0x8c, 0xbd, 0xf4, 0x83, 0xad, 0xab, 0xed, 0xde, 0xd6, - 0x6a, 0x4d, 0xa9, 0x35, 0x62, 0x4e, 0xbf, 0xde, 0x17, 0xa0, 0xe2, 0x07, 0x3c, 0x43, 0xa3, 0x6f, - 0x1d, 0x61, 0x92, 0xc8, 0x79, 0xae, 0x08, 0x6e, 0x1a, 0x0d, 0xc5, 0xd0, 0x36, 0xf3, 0x6d, 0xda, - 0x87, 0x2f, 0xc1, 0xac, 0x4f, 0x7a, 0x38, 0x09, 0x05, 0xd2, 0x31, 0xca, 0x99, 0x55, 0x47, 0x77, - 0x75, 0xe2, 0x06, 0xf7, 0xe4, 0x95, 0xd4, 0x3b, 0x74, 0xcb, 0x06, 0x67, 0xee, 0xfc, 0x10, 0xdc, - 0xa4, 0x89, 0x38, 0xa4, 0x49, 0xe4, 0xcb, 0x6f, 0xd5, 0xeb, 0x05, 0x1e, 0x8a, 0x69, 0x18, 0x78, - 0xa7, 0xce, 0xbc, 0x62, 0xbc, 0xf4, 0x0c, 0x75, 0x0c, 0xbc, 0xab, 0xd1, 0x7b, 0x0a, 0xec, 0x2e, - 0xd1, 0x49, 0x62, 0xb8, 0x0d, 0x66, 0xf5, 0x7a, 0x11, 0xa7, 0x09, 0xf3, 0x08, 0x77, 0x96, 0x57, - 0xa7, 0xd6, 0x8b, 0x9b, 0xf7, 0x26, 0x5a, 0xd1, 0x16, 0xf6, 0x95, 0xa6, 0x5b, 0xf6, 0x32, 0x23, - 0x0e, 0x1b, 0xc0, 0x36, 0x1f, 0x01, 0x27, 0x82, 0xa2, 0xa1, 0x08, 0xb9, 0xf3, 0x2f, 0x6a, 0xc5, - 0x95, 0x0b, 0xa1, 0x60, 0x8b, 0xd2, 0xf0, 0x35, 0x0e, 0x13, 0xe2, 0x9a, 0x63, 0x59, 0x4b, 0x04, - 0x7d, 0x25, 0x42, 0x0e, 0xef, 0x81, 0x92, 0x60, 0x09, 0x17, 0xc8, 0xa7, 0x43, 0x1c, 0x44, 0x4e, - 0x45, 0x1d, 0xaa, 0xa2, 0x92, 0x35, 0x94, 0x08, 0x7e, 0x04, 0x16, 0xb3, 0x2a, 0x08, 0x87, 0x01, - 0xe6, 0x84, 0x3b, 0xd5, 0xd5, 0xa9, 0xf5, 0x19, 0x17, 0x66, 0x54, 0x6b, 0x7a, 0x06, 0x7e, 0x0d, - 0xe6, 0x3c, 0x8c, 0x3c, 0xc2, 0x44, 0xd0, 0x0b, 0x3c, 0x2c, 0x08, 0x77, 0x3e, 0x57, 0xbb, 0xdc, - 0xb8, 0xcc, 0x97, 0xf5, 0x31, 0xa6, 0x81, 0x05, 0x76, 0x67, 0x3d, 0x9c, 0x11, 0x71, 0xf8, 0x19, - 0xb8, 0x95, 0x7e, 0x76, 0x73, 0xd2, 0x10, 0x39, 0x91, 0xc1, 0x17, 0x09, 0xea, 0xdc, 0x55, 0x0b, - 0x5a, 0x36, 0x0a, 0xe6, 0x98, 0x35, 0xd5, 0x74, 0x97, 0xc2, 0x6d, 0x70, 0x2f, 0x85, 0x1e, 0x07, - 0x4c, 0x24, 0x38, 0x9c, 0x40, 0xb1, 0xaa, 0x28, 0xee, 0x18, 0xc5, 0xd7, 0x5a, 0xef, 0x3c, 0x53, - 0x0b, 0xac, 0xa5, 0x4c, 0xe7, 0xb3, 0x51, 0x86, 0xea, 0x9e, 0xa2, 0x5a, 0x31, 0x9a, 0x8d, 0xb1, - 0xa2, 0x9b, 0x84, 0x63, 0xae, 0xfb, 0x60, 0x96, 0x51, 0x2a, 0x50, 0x84, 0x87, 0x84, 0xc7, 0xd8, - 0x23, 0xce, 0x9a, 0x0e, 0x00, 0x52, 0xba, 0x9b, 0x0a, 0x61, 0x0f, 0x2c, 0x84, 0xd4, 0xc3, 0x61, - 0x20, 0x4e, 0x51, 0x78, 0x88, 0xb8, 0x0e, 0xb5, 0xce, 0xfb, 0xea, 0x7b, 0x3f, 0x7b, 0x47, 0xb8, - 0x6e, 0x1b, 0x54, 0x9b, 0x62, 0x7f, 0x0b, 0x87, 0x38, 0xf2, 0x08, 0x33, 0x81, 0xda, 0x9d, 0x4f, - 0x29, 0xdb, 0x87, 0x46, 0x04, 0xeb, 0xc0, 0xf6, 0x23, 0x8e, 0x18, 0xe9, 0x31, 0xc2, 0x07, 0x48, - 0xe6, 0x4a, 0xe7, 0x83, 0x4b, 0xd3, 0x95, 0x1f, 0x71, 0x57, 0x23, 0x5c, 0x2c, 0x08, 0xfc, 0x0e, - 0xcc, 0x0f, 0x36, 0x51, 0x12, 0xf7, 0x19, 0xf6, 0x49, 0x7a, 0x99, 0x3e, 0x54, 0xf1, 0xe7, 0xd2, - 0x03, 0xb0, 0xbd, 0x79, 0xa0, 0x71, 0xe6, 0x1a, 0xcd, 0x0d, 0xce, 0x0a, 0xe4, 0x09, 0x08, 0x22, - 0x7d, 0x5d, 0xbd, 0x30, 0xe1, 0x82, 0x30, 0xc4, 0x05, 0xd6, 0x0e, 0x74, 0x1e, 0x2b, 0xdf, 0x2d, - 0x1b, 0x85, 0xba, 0x9e, 0xdf, 0x17, 0x58, 0x79, 0x52, 0x06, 0x9c, 0xd1, 0x55, 0xbf, 0x88, 0xfd, - 0x57, 0x85, 0x1d, 0x05, 0x83, 0xf3, 0xe0, 0x06, 0x28, 0x9d, 0x39, 0xd0, 0x1b, 0xea, 0x40, 0x4f, - 0x0e, 0x37, 0x99, 0x23, 0xeb, 0x9e, 0x41, 0xc1, 0xff, 0x04, 0x65, 0x31, 0x60, 0x41, 0x6f, 0x14, - 0xb5, 0x9e, 0x28, 0xe7, 0x3e, 0xbe, 0xcc, 0x2d, 0x5d, 0x05, 0x32, 0x11, 0xac, 0x24, 0x32, 0x23, - 0xf8, 0x2d, 0xb0, 0xd3, 0x73, 0x6c, 0x8e, 0x05, 0x77, 0x36, 0x7f, 0xd9, 0x6d, 0x33, 0x07, 0x3b, - 0x4d, 0xdc, 0xee, 0x1c, 0x3f, 0x2b, 0x80, 0x2e, 0xb8, 0x69, 0x62, 0x4c, 0xcc, 0xe8, 0x90, 0x88, - 0x01, 0x49, 0x38, 0x1a, 0x12, 0xd6, 0x27, 0xce, 0xd3, 0x4b, 0x43, 0xcd, 0x92, 0x86, 0xee, 0x8d, - 0x90, 0xaf, 0x24, 0x10, 0x7e, 0x07, 0xde, 0x3b, 0x26, 0x2c, 0xe8, 0x9d, 0x66, 0x03, 0x04, 0xc2, - 0x02, 0x79, 0x61, 0x40, 0x22, 0xe1, 0x3c, 0xbb, 0x94, 0xf8, 0x96, 0xc6, 0x67, 0xbc, 0x5c, 0x13, - 0x75, 0x05, 0x86, 0x9b, 0x20, 0xef, 0x61, 0xe7, 0x53, 0x45, 0xb1, 0x76, 0x69, 0xb0, 0xa9, 0xb9, - 0x79, 0x0f, 0xc3, 0x43, 0xb0, 0x40, 0x4e, 0x04, 0x89, 0xb8, 0xbc, 0xc4, 0x31, 0xa3, 0xc7, 0x81, - 0x4f, 0x18, 0x77, 0x3e, 0x53, 0x3e, 0xbc, 0x34, 0x61, 0x36, 0x53, 0xe8, 0x9e, 0x41, 0xba, 0x90, - 0x9c, 0x17, 0x71, 0xf8, 0x3d, 0x98, 0x4f, 0x43, 0xc6, 0xd8, 0xc2, 0xbf, 0xa9, 0x65, 0x7e, 0x74, - 0x99, 0x85, 0x86, 0x06, 0x8e, 0xc8, 0x5c, 0xdb, 0x3f, 0x27, 0x81, 0x3e, 0x58, 0xf0, 0x03, 0xee, - 0xd1, 0x63, 0xc2, 0x4e, 0x47, 0x6f, 0x13, 0xee, 0x7c, 0xa1, 0xb6, 0xf0, 0xb4, 0xaa, 0xdf, 0xc6, - 0xd5, 0xec, 0xdb, 0xb8, 0x1a, 0x1f, 0xf5, 0xa5, 0x80, 0x57, 0xe5, 0xdb, 0xb8, 0x7a, 0xfc, 0xa4, - 0xda, 0xc6, 0x87, 0x24, 0x4c, 0x1f, 0x30, 0x2e, 0x1c, 0xf1, 0xa5, 0x22, 0x5e, 0xf9, 0x5d, 0x0e, - 0x2c, 0x4d, 0x4c, 0x76, 0x70, 0x17, 0x14, 0xd4, 0xab, 0x2b, 0xa7, 0x2e, 0xf9, 0xe7, 0x7f, 0x57, - 0xc6, 0xac, 0xaa, 0xa7, 0x97, 0xe2, 0x59, 0x6b, 0x80, 0x82, 0x7a, 0x71, 0xcd, 0x83, 0xb2, 0xdb, - 0x7c, 0xb9, 0xb3, 0xdf, 0x75, 0xbf, 0x41, 0x9d, 0xdd, 0xf6, 0x37, 0xf6, 0x35, 0x58, 0x06, 0x33, - 0xb5, 0x76, 0xbb, 0xf3, 0x15, 0xaa, 0xed, 0x7e, 0x63, 0xe7, 0xd6, 0x0a, 0x56, 0xde, 0xce, 0x3f, - 0x5a, 0x7c, 0xbd, 0xe3, 0x76, 0x0f, 0x6a, 0x6d, 0xb4, 0xdf, 0x74, 0x5f, 0xef, 0xd4, 0x9b, 0x4a, - 0xb9, 0xf2, 0xbf, 0x39, 0x30, 0x77, 0x2e, 0xa1, 0x40, 0x08, 0xa6, 0x62, 0x32, 0x54, 0x0b, 0x9d, - 0xd9, 0xbe, 0xe6, 0xca, 0x01, 0x7c, 0x0c, 0xe6, 0x79, 0x1c, 0xf4, 0x7a, 0x04, 0x1d, 0x26, 0x91, - 0x1f, 0x12, 0x94, 0xb0, 0xd0, 0xc9, 0x1b, 0x8d, 0x39, 0x3d, 0xb5, 0xa5, 0x66, 0x0e, 0x58, 0x28, - 0x9f, 0xb0, 0xd9, 0x74, 0xc8, 0x9d, 0x29, 0x15, 0xe8, 0x4b, 0x99, 0x3c, 0xc8, 0xb7, 0x20, 0xb0, - 0xb3, 0xa7, 0xdb, 0xc7, 0x02, 0x57, 0xfe, 0x1b, 0x94, 0xb2, 0xd7, 0x18, 0x7e, 0x00, 0x66, 0x65, - 0x7c, 0x45, 0x61, 0x30, 0x0c, 0x84, 0xb2, 0x99, 0xd3, 0x8f, 0x61, 0x29, 0x6d, 0x4b, 0xa1, 0x34, - 0xf7, 0x12, 0xc0, 0x8c, 0x56, 0xfa, 0xe6, 0xcf, 0x5f, 0x16, 0x93, 0xed, 0x11, 0x89, 0x79, 0xeb, - 0x57, 0x7e, 0x9f, 0x03, 0x73, 0xe7, 0x2e, 0x3c, 0xec, 0x02, 0x6b, 0x14, 0x33, 0x72, 0x8a, 0xf2, - 0xf9, 0x15, 0x63, 0x46, 0x75, 0x14, 0x3c, 0x46, 0x4c, 0x70, 0x11, 0x5c, 0x1f, 0x50, 0x2e, 0xb8, - 0x93, 0x57, 0x9e, 0xd1, 0x83, 0xca, 0x06, 0xb0, 0x46, 0x76, 0xdf, 0x07, 0xe5, 0x34, 0x00, 0xab, - 0x1c, 0xa4, 0x8c, 0x5b, 0x6e, 0xc9, 0x08, 0x55, 0xd2, 0xaa, 0xfc, 0x98, 0x03, 0xf9, 0x7a, 0x0d, - 0x3a, 0x60, 0x1a, 0xfb, 0xbe, 0x7c, 0x5d, 0x1b, 0xff, 0xa4, 0x43, 0xd8, 0x01, 0x25, 0x11, 0xf2, - 0x71, 0xd4, 0xcb, 0x9f, 0x89, 0xa5, 0x13, 0x8b, 0x17, 0x15, 0x25, 0xba, 0xed, 0xfd, 0xd1, 0xaa, - 0x8b, 0x22, 0xe4, 0xa3, 0x65, 0x6d, 0x81, 0x39, 0x46, 0xfe, 0x2b, 0x21, 0x7c, 0xec, 0xe8, 0xa9, - 0x4b, 0x93, 0x9f, 0x41, 0xa4, 0x25, 0xd5, 0x5d, 0x50, 0x54, 0xf6, 0x7d, 0xc4, 0x03, 0x9f, 0xa8, - 0xea, 0xd1, 0x72, 0x81, 0x16, 0xed, 0x07, 0x3e, 0xa9, 0xfc, 0x66, 0x01, 0xcc, 0x5f, 0x08, 0x1a, - 0x10, 0x82, 0x82, 0xca, 0x42, 0x7a, 0x8b, 0xea, 0x37, 0xfc, 0x9f, 0x1c, 0x58, 0xd4, 0x2f, 0x63, - 0x72, 0x22, 0xe4, 0x2b, 0x6f, 0xf0, 0x56, 0x55, 0x9b, 0x66, 0xa3, 0x5f, 0x5f, 0x39, 0x34, 0x55, - 0xd5, 0x33, 0x5a, 0x8a, 0x59, 0x84, 0xc3, 0x5a, 0x22, 0x06, 0x94, 0x05, 0x6f, 0xd5, 0x3e, 0x54, - 0xbd, 0x6a, 0xd4, 0xb6, 0xaf, 0xb9, 0xf3, 0xc4, 0x68, 0x4a, 0xa5, 0xb7, 0x72, 0x72, 0xe2, 0x6a, - 0xfa, 0x2c, 0xf6, 0x8c, 0x8b, 0x7e, 0xd5, 0xd5, 0xbc, 0x64, 0xb1, 0xf7, 0xb3, 0xab, 0x91, 0x93, - 0x10, 0x83, 0x1b, 0x6f, 0x83, 0xf8, 0x28, 0x88, 0x94, 0x87, 0x8b, 0x9b, 0x2f, 0xaf, 0x6e, 0xfe, - 0x5b, 0x85, 0x37, 0xa5, 0x58, 0xc6, 0x9a, 0x21, 0x86, 0x3f, 0x80, 0x99, 0x30, 0xe8, 0x0f, 0x04, - 0x17, 0x24, 0x56, 0xb5, 0xfd, 0xb8, 0x30, 0xbe, 0x82, 0x95, 0x76, 0x4a, 0x71, 0xd1, 0xd0, 0x98, - 0x1e, 0xfa, 0x60, 0x5a, 0xc6, 0x08, 0x9f, 0xf6, 0x4d, 0x77, 0x60, 0xfb, 0xea, 0x96, 0x1a, 0x9a, - 0xe0, 0xa2, 0x9d, 0x94, 0x1a, 0x06, 0xa0, 0xc8, 0x05, 0xf6, 0x8e, 0x7c, 0x16, 0x1c, 0x13, 0xa6, - 0x6a, 0xef, 0xe2, 0x66, 0xf3, 0xea, 0x96, 0xf6, 0xc7, 0x24, 0x19, 0x33, 0x59, 0x6e, 0xc8, 0x00, - 0xa0, 0x31, 0x89, 0x3c, 0x12, 0xf1, 0x84, 0xab, 0xf2, 0xbd, 0xb8, 0xb9, 0x77, 0x75, 0x4b, 0x9d, - 0x98, 0x44, 0x75, 0xc5, 0x51, 0xeb, 0xcb, 0x9b, 0x7b, 0x61, 0x6f, 0x19, 0x2b, 0x95, 0xbf, 0xe6, - 0xc1, 0x83, 0x5f, 0x76, 0xc2, 0x65, 0x50, 0x49, 0x2b, 0x55, 0x13, 0x54, 0xcc, 0x50, 0x5e, 0x44, - 0xd5, 0xcc, 0x91, 0x77, 0xac, 0xec, 0xaa, 0xdf, 0xf2, 0x4e, 0xc7, 0x58, 0x0c, 0x50, 0xcc, 0x48, - 0x2f, 0x38, 0x51, 0x07, 0x7e, 0xc6, 0x05, 0x52, 0xb4, 0xa7, 0x24, 0xf0, 0x36, 0x98, 0xe9, 0xe1, - 0x20, 0x44, 0x72, 0x31, 0xe6, 0xca, 0x5b, 0x52, 0x20, 0x97, 0x2f, 0x8b, 0x7c, 0xf9, 0xca, 0x4c, - 0x38, 0xa2, 0x11, 0x22, 0x8c, 0x51, 0xa6, 0x4e, 0xd3, 0x8c, 0x5b, 0xd6, 0xe2, 0x4e, 0xd4, 0x94, - 0x42, 0xf8, 0x29, 0x70, 0x82, 0xc8, 0x0b, 0x13, 0x9f, 0xa0, 0x01, 0xc1, 0x32, 0xaf, 0xa3, 0x20, - 0x42, 0xde, 0x80, 0x78, 0x47, 0xce, 0x0d, 0x15, 0x49, 0x97, 0xcc, 0xfc, 0xb6, 0x9e, 0xde, 0x89, - 0xea, 0x72, 0x12, 0xfe, 0x3b, 0x78, 0x2f, 0x05, 0x08, 0x8a, 0x92, 0x98, 0x0b, 0x46, 0xf0, 0x50, - 0x5a, 0xc3, 0x61, 0x48, 0xdf, 0x38, 0xd3, 0x0a, 0xec, 0x18, 0x9d, 0x2e, 0x3d, 0x30, 0x1a, 0x9d, - 0xa8, 0x26, 0xe7, 0xe1, 0x7f, 0x80, 0x3b, 0x19, 0xbc, 0x4f, 0xdf, 0x44, 0x63, 0x06, 0x9f, 0x44, - 0xa7, 0x8e, 0xa5, 0x08, 0x6e, 0x8d, 0x08, 0x1a, 0x23, 0x95, 0x4e, 0xd4, 0x20, 0xd1, 0x69, 0xe5, - 0xff, 0x73, 0xef, 0xf2, 0x7c, 0xf6, 0x36, 0x5f, 0xd1, 0xf3, 0x67, 0x1c, 0x3b, 0x75, 0xb9, 0x63, - 0x0b, 0x13, 0x1c, 0x5b, 0x39, 0x02, 0x4b, 0x13, 0xef, 0xfa, 0x15, 0xd7, 0xf2, 0x01, 0x98, 0x1d, - 0xe2, 0x13, 0x24, 0x70, 0x1f, 0x85, 0x24, 0xea, 0x8b, 0x81, 0x5a, 0x50, 0xd9, 0x2d, 0x0d, 0xf1, - 0x49, 0x17, 0xf7, 0xdb, 0x4a, 0x56, 0xf9, 0xbf, 0x1c, 0x70, 0x7e, 0xee, 0xce, 0x5f, 0xd1, 0xe0, - 0x3d, 0x50, 0x32, 0x9d, 0x15, 0x41, 0x8f, 0xcc, 0xfe, 0x67, 0xdc, 0xa2, 0x96, 0x75, 0xa5, 0x68, - 0xc2, 0x9a, 0x0a, 0x13, 0xd6, 0x14, 0x82, 0xe5, 0xc9, 0xc1, 0xe1, 0x1f, 0xe2, 0x81, 0x3f, 0xe7, - 0xc1, 0xc2, 0x84, 0x08, 0x21, 0x9f, 0x05, 0x3e, 0x39, 0x4c, 0xfa, 0x26, 0xd9, 0xeb, 0x01, 0xec, - 0x02, 0x47, 0x72, 0x46, 0xc9, 0xf0, 0x90, 0x30, 0x44, 0x7b, 0x08, 0x0b, 0xc1, 0x82, 0xc3, 0x44, - 0xd6, 0x58, 0x3a, 0xcf, 0xdd, 0xbe, 0x90, 0x7c, 0x77, 0x22, 0xf1, 0xec, 0x63, 0x53, 0x64, 0x0c, - 0xf1, 0xc9, 0xae, 0xc2, 0x76, 0x7a, 0xb5, 0x11, 0x12, 0xbe, 0x06, 0xb7, 0xce, 0xb1, 0x46, 0x11, - 0x15, 0xea, 0x34, 0x72, 0x93, 0xb0, 0xde, 0x49, 0xbb, 0x9c, 0xa5, 0x1d, 0x43, 0x65, 0xf1, 0x72, - 0x96, 0x77, 0x48, 0x38, 0xc7, 0x7d, 0x82, 0xc8, 0x31, 0x89, 0x04, 0x37, 0xc9, 0xe8, 0x9d, 0xd4, - 0x4e, 0x86, 0xfa, 0x95, 0x46, 0x37, 0x15, 0x78, 0x82, 0x7b, 0xaf, 0x4f, 0x70, 0xef, 0x8f, 0x79, - 0xb0, 0xf2, 0xee, 0xb0, 0x78, 0xc5, 0xaf, 0xfa, 0x06, 0x4c, 0x7b, 0x34, 0x12, 0xe4, 0x44, 0xa8, - 0xa7, 0xec, 0xec, 0xe6, 0xf7, 0xbf, 0x76, 0x9c, 0xae, 0xca, 0x31, 0xa9, 0x6b, 0x23, 0x6e, 0x6a, - 0xed, 0x97, 0x1d, 0xde, 0x35, 0x02, 0x4a, 0x59, 0x38, 0x9c, 0x03, 0xc5, 0x83, 0xdd, 0xfd, 0xbd, - 0x66, 0x7d, 0xe7, 0xc5, 0x4e, 0xb3, 0x61, 0x5f, 0x83, 0x4b, 0x60, 0xfe, 0xab, 0xa7, 0x75, 0xd4, - 0x75, 0x6b, 0xf5, 0x26, 0xaa, 0x77, 0x76, 0xbb, 0xcd, 0xaf, 0xbb, 0x76, 0x0e, 0x96, 0x80, 0xf5, - 0xd2, 0xdd, 0xab, 0xa3, 0xad, 0x9d, 0x5d, 0x3b, 0x0f, 0x6f, 0x82, 0x85, 0x7a, 0xbb, 0x73, 0xd0, - 0x38, 0xa7, 0x36, 0x05, 0x6f, 0x80, 0xfc, 0xd6, 0x53, 0xbb, 0xb0, 0x05, 0x80, 0x95, 0x56, 0x66, - 0x95, 0xc7, 0xc0, 0x3e, 0x5f, 0x74, 0x49, 0x9f, 0xa6, 0xad, 0x5c, 0xe3, 0x53, 0x33, 0x5c, 0x6b, - 0x81, 0xa5, 0x89, 0x6d, 0xe4, 0x8b, 0x2b, 0x9d, 0x06, 0x53, 0x9d, 0x17, 0x2f, 0xec, 0x1c, 0x2c, - 0x82, 0xe9, 0x46, 0xf3, 0x45, 0xed, 0xa0, 0xdd, 0xb5, 0xf3, 0x10, 0x80, 0x1b, 0xfb, 0x5d, 0x77, - 0xa7, 0xde, 0xb5, 0xa7, 0xd6, 0x1e, 0x00, 0x20, 0x43, 0xa7, 0x29, 0xab, 0x2c, 0x50, 0xd8, 0xed, - 0xec, 0x36, 0xed, 0x6b, 0x70, 0x16, 0x80, 0x57, 0x07, 0xaa, 0xc2, 0xe9, 0xb6, 0xf7, 0xed, 0xdc, - 0xda, 0x43, 0x30, 0x7f, 0xa1, 0x53, 0x2b, 0xd5, 0xd5, 0xa6, 0xae, 0xc9, 0x5f, 0xad, 0xfd, 0xce, - 0xae, 0x9d, 0x5b, 0xdb, 0x04, 0x73, 0xe7, 0x5a, 0x2a, 0x10, 0x82, 0xd9, 0x46, 0x07, 0xed, 0x76, - 0xba, 0xe8, 0x60, 0xef, 0xa5, 0x5b, 0x6b, 0x48, 0xfe, 0x22, 0x98, 0x4e, 0x07, 0xb9, 0x56, 0xc1, - 0xca, 0xd9, 0xf9, 0x96, 0xac, 0xac, 0xa6, 0x5a, 0x05, 0x6b, 0xca, 0x2e, 0xb4, 0x0a, 0xd6, 0x47, - 0xf6, 0x93, 0x56, 0xc1, 0xba, 0x65, 0x57, 0x5a, 0x05, 0x6b, 0xc5, 0xbe, 0xdb, 0x2a, 0x58, 0xc0, - 0x2e, 0xb6, 0x0a, 0x56, 0xd1, 0x2e, 0xb5, 0x0a, 0xd6, 0x9c, 0x6d, 0xb7, 0x0a, 0x96, 0x6d, 0xcf, - 0xb7, 0x0a, 0x16, 0xb4, 0x17, 0x5a, 0x05, 0x6b, 0xc1, 0x5e, 0x6c, 0x15, 0xac, 0x45, 0x7b, 0xa9, - 0x55, 0xb0, 0x96, 0xec, 0xe5, 0x56, 0xc1, 0xba, 0x69, 0x3b, 0xad, 0x82, 0x75, 0xc7, 0x5e, 0x69, - 0x15, 0xac, 0x4f, 0xec, 0x67, 0xad, 0x82, 0x75, 0xdf, 0x7e, 0xd0, 0x2a, 0x58, 0x0f, 0xec, 0x87, - 0xad, 0x82, 0xf5, 0xd0, 0x5e, 0x77, 0xe1, 0x30, 0x38, 0x21, 0x4c, 0x67, 0x3c, 0xd5, 0x9b, 0x23, - 0xcc, 0x5d, 0xd0, 0x32, 0x46, 0x54, 0x5b, 0xcd, 0x08, 0x97, 0xd2, 0xbe, 0xb1, 0xee, 0x2d, 0x69, - 0x04, 0x77, 0x47, 0xed, 0x64, 0x8d, 0x51, 0x7f, 0xcc, 0x68, 0x20, 0x77, 0x97, 0xb3, 0xaa, 0x68, - 0x94, 0x53, 0xdc, 0xfb, 0xf2, 0x95, 0xee, 0x61, 0x26, 0x33, 0x9f, 0x20, 0x21, 0x19, 0x12, 0xa1, - 0x4a, 0x68, 0xae, 0xba, 0x01, 0xb2, 0x3c, 0x8d, 0x02, 0x71, 0xea, 0x16, 0xe5, 0x7b, 0xd7, 0x98, - 0x73, 0xe7, 0x99, 0x3f, 0x6e, 0x91, 0xf9, 0x24, 0xc4, 0xa7, 0x6e, 0x59, 0x9b, 0x34, 0x95, 0x89, - 0x9b, 0xb6, 0xc7, 0x75, 0x4b, 0x43, 0x55, 0x02, 0x67, 0xd6, 0xea, 0x96, 0xb8, 0xcf, 0x51, 0xe2, - 0x73, 0x24, 0x1f, 0x11, 0xee, 0x3c, 0xbf, 0x40, 0xb8, 0x6c, 0x18, 0xe4, 0x8c, 0x8a, 0xfe, 0x68, - 0x48, 0x93, 0x48, 0xb8, 0x50, 0x01, 0x39, 0x41, 0x47, 0xcf, 0x39, 0xe2, 0x18, 0xfd, 0xf0, 0x46, - 0xb8, 0x15, 0x41, 0xd8, 0x30, 0xed, 0x42, 0xfa, 0x0c, 0x07, 0x11, 0x4a, 0xff, 0x84, 0x73, 0x17, - 0x53, 0x9f, 0x18, 0x0f, 0x1e, 0x62, 0xe1, 0x0d, 0x5c, 0x27, 0x3b, 0x42, 0xf2, 0x12, 0x92, 0x48, - 0xb0, 0x80, 0x70, 0x77, 0xe9, 0xc2, 0x8c, 0xac, 0x84, 0xd6, 0xfe, 0x98, 0x03, 0xa5, 0x6c, 0x33, - 0xfa, 0x9f, 0x59, 0x95, 0xed, 0x81, 0x45, 0x9e, 0x1c, 0x72, 0x8f, 0x05, 0x87, 0xc4, 0x47, 0x8c, - 0xa4, 0x8d, 0x73, 0x1d, 0xac, 0xee, 0x4c, 0x0c, 0x56, 0xae, 0xd1, 0x72, 0x17, 0xc6, 0xd0, 0x54, - 0xc6, 0xd7, 0xbe, 0x04, 0xc5, 0x4c, 0x5f, 0x40, 0x3e, 0xef, 0x38, 0xf1, 0x18, 0x31, 0x8d, 0x40, - 0xbd, 0x1f, 0xa0, 0x45, 0xaa, 0xf7, 0x77, 0x1b, 0xcc, 0xf8, 0x11, 0xd7, 0x3d, 0x5a, 0x53, 0xd4, - 0x5a, 0x7e, 0xc4, 0x55, 0x7b, 0xf6, 0xd1, 0x2a, 0xb0, 0x52, 0x66, 0xb8, 0x08, 0xec, 0xb4, 0x03, - 0x91, 0xf6, 0x2d, 0xec, 0x6b, 0x5b, 0xeb, 0x7f, 0xf8, 0x69, 0x25, 0xf7, 0xa7, 0x9f, 0x56, 0x72, - 0x7f, 0xf9, 0x69, 0x25, 0xf7, 0x6d, 0x45, 0xaf, 0x57, 0xff, 0x57, 0xb9, 0x71, 0xe6, 0xdf, 0xcf, - 0xc3, 0x1b, 0x2a, 0x61, 0x3c, 0xfd, 0x5b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x24, 0xa2, 0xee, 0x9f, - 0x86, 0x1d, 0x00, 0x00, + // 3165 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x5a, 0x4f, 0x73, 0x1b, 0x39, + 0x76, 0x37, 0x29, 0xda, 0x6a, 0x81, 0xa4, 0xd4, 0x82, 0x24, 0xbb, 0x4d, 0xff, 0x93, 0x35, 0x63, + 0x8f, 0xd6, 0x99, 0x50, 0x63, 0x79, 0x76, 0xd6, 0x3b, 0x9b, 0xa4, 0x42, 0x91, 0xb4, 0x25, 0x2e, + 0x2d, 0x29, 0x10, 0xe5, 0xf9, 0x57, 0x5b, 0x28, 0xb0, 0x1b, 0x24, 0x7b, 0xd5, 0x6c, 0x74, 0x00, + 0x50, 0x96, 0xa6, 0x6a, 0x3f, 0x41, 0x72, 0xc9, 0x31, 0x9f, 0x21, 0x95, 0x1c, 0xf2, 0x29, 0x52, + 0xb5, 0x97, 0x1c, 0xf6, 0x94, 0xca, 0x61, 0x6b, 0xce, 0xf9, 0x10, 0x29, 0xfc, 0x69, 0xb2, 0x25, + 0x71, 0x4c, 0x6b, 0x6b, 0x36, 0xb9, 0xb1, 0x1f, 0xde, 0xfb, 0x3d, 0xe0, 0xe1, 0xfd, 0x03, 0x40, + 0x50, 0x19, 0x52, 0x31, 0xd8, 0x3a, 0x7d, 0x4e, 0xa2, 0x64, 0x40, 0x9e, 0x6f, 0xf9, 0x2c, 0xee, + 0x85, 0xfd, 0x6a, 0xc2, 0x99, 0x64, 0x70, 0x25, 0x14, 0x32, 0x64, 0x55, 0xc5, 0x51, 0x4d, 0x39, + 0x2a, 0x0f, 0xfb, 0x8c, 0xf5, 0x23, 0xba, 0xa5, 0x59, 0xba, 0xa3, 0xde, 0x56, 0x30, 0xe2, 0x44, + 0x86, 0x2c, 0x36, 0x42, 0x57, 0xc7, 0xdf, 0x71, 0x92, 0x24, 0x94, 0x0b, 0x3b, 0x7e, 0xf7, 0xa2, + 0xc2, 0x84, 0xb3, 0xb3, 0x73, 0x3b, 0xf4, 0x2c, 0xa6, 0xf2, 0x1d, 0xe3, 0x27, 0x61, 0xdc, 0x4f, + 0x19, 0x5e, 0x6c, 0x05, 0x54, 0xc8, 0x30, 0xd6, 0x1a, 0x30, 0x1f, 0x45, 0xd4, 0xf2, 0x7e, 0x7e, + 0xf2, 0x52, 0x54, 0x43, 0xb6, 0x45, 0x92, 0x70, 0x48, 0xfc, 0x41, 0x18, 0x53, 0x7e, 0xbe, 0x95, + 0x9c, 0xf4, 0x15, 0x41, 0x6c, 0x0d, 0xa9, 0x24, 0x5b, 0xa7, 0xcf, 0xb7, 0xfa, 0x34, 0xa6, 0x9c, + 0x48, 0x1a, 0x18, 0xa9, 0x8d, 0x3f, 0xfe, 0x35, 0x00, 0x6f, 0xa8, 0x18, 0xd4, 0xf5, 0x32, 0xe1, + 0x33, 0xb0, 0xac, 0xf5, 0xe3, 0x28, 0x14, 0x92, 0xc6, 0x38, 0x61, 0x5c, 0x7a, 0x85, 0xf5, 0xdc, + 0xe6, 0x4d, 0xb4, 0xa4, 0x07, 0xda, 0x9a, 0x7e, 0xc8, 0xb8, 0x84, 0x4f, 0x81, 0x21, 0xe1, 0x81, + 0x94, 0x89, 0xe1, 0xbc, 0xa9, 0x39, 0xcb, 0x9a, 0xbc, 0x2b, 0x65, 0xa2, 0xf9, 0x76, 0xc0, 0x92, + 0xcf, 0xe2, 0x98, 0xfa, 0x12, 0xcb, 0x70, 0x48, 0xd9, 0x48, 0x7a, 0xb7, 0xd6, 0x73, 0x9b, 0xc5, + 0xed, 0xbb, 0x55, 0x63, 0x99, 0x6a, 0x6a, 0x99, 0x6a, 0xc3, 0x5a, 0x0e, 0x2d, 0x5a, 0x89, 0x8e, + 0x11, 0x80, 0x5f, 0x81, 0x8a, 0x66, 0xf2, 0x59, 0x84, 0x03, 0x2a, 0xa9, 0xaf, 0x57, 0x9f, 0xc2, + 0x3d, 0x9b, 0x05, 0xe7, 0xa5, 0xc2, 0x8d, 0x54, 0x36, 0x05, 0x66, 0xa0, 0x2c, 0xfd, 0x04, 0x9f, + 0x50, 0x9a, 0x90, 0x28, 0x3c, 0xa5, 0xde, 0x7d, 0x8d, 0xd5, 0xaa, 0x9a, 0x9d, 0x9e, 0xd8, 0x3f, + 0xdd, 0xef, 0x17, 0xd5, 0xba, 0x99, 0x5a, 0xc8, 0xe2, 0x43, 0xc6, 0xa2, 0x23, 0x2a, 0x65, 0x18, + 0xf7, 0x45, 0xb5, 0x53, 0x3f, 0x9c, 0xfc, 0xf6, 0x93, 0x5f, 0xa7, 0x88, 0xa8, 0x24, 0x33, 0x5f, + 0xf0, 0x23, 0x50, 0x0e, 0xe3, 0x3e, 0xa7, 0x42, 0x60, 0x3f, 0x22, 0x42, 0x78, 0xf3, 0xeb, 0xb9, + 0xcd, 0x05, 0x54, 0xb2, 0xc4, 0xba, 0xa2, 0xc1, 0x4f, 0xc0, 0x52, 0xca, 0x24, 0x28, 0x3f, 0x0d, + 0x7d, 0xea, 0x39, 0x9a, 0x6d, 0xd1, 0x92, 0x8f, 0x0c, 0x15, 0x0e, 0xc1, 0x9d, 0x31, 0x1a, 0x8b, + 0x25, 0x67, 0x51, 0x44, 0x39, 0x1e, 0xb2, 0x80, 0x7a, 0x0b, 0xeb, 0xb9, 0xcd, 0xc5, 0xed, 0x9f, + 0x57, 0xa7, 0xb8, 0x6c, 0x75, 0xb2, 0xe3, 0xd5, 0x3d, 0xab, 0x77, 0x2c, 0xfd, 0x86, 0x05, 0x14, + 0xad, 0x85, 0xd3, 0xc8, 0xf0, 0x67, 0xc0, 0x9d, 0xcc, 0x2b, 0xa2, 0xbe, 0x64, 0xdc, 0xfb, 0x5c, + 0x4f, 0x6c, 0x69, 0x3c, 0x31, 0x43, 0x86, 0x4f, 0xc0, 0x22, 0x8d, 0x49, 0x37, 0xa2, 0x58, 0x72, + 0xe2, 0x87, 0x71, 0xdf, 0x2b, 0xad, 0xe7, 0x36, 0x1d, 0x54, 0x36, 0xd4, 0x8e, 0x21, 0x2a, 0x27, + 0x22, 0xbe, 0xaf, 0x00, 0x23, 0xd6, 0xc7, 0xbd, 0x30, 0xa2, 0x5e, 0x59, 0x03, 0x96, 0x0d, 0xb9, + 0xcd, 0xfa, 0xaf, 0xc2, 0x88, 0x2a, 0xc7, 0xcc, 0xf2, 0x31, 0x3e, 0x24, 0xd2, 0xf3, 0x8c, 0xea, + 0x09, 0xa7, 0x26, 0x43, 0x02, 0x56, 0x32, 0xbc, 0x34, 0xf6, 0x59, 0xa0, 0xf4, 0xdf, 0xd3, 0x06, + 0x79, 0x3e, 0xcb, 0x20, 0xb5, 0x14, 0xad, 0x69, 0x05, 0xd1, 0x32, 0xb9, 0x4c, 0x82, 0x0d, 0xf0, + 0xc8, 0xae, 0x8e, 0xc6, 0xa7, 0xec, 0x1c, 0x67, 0xf4, 0xa5, 0x1b, 0xb6, 0xa9, 0x97, 0x7b, 0xcf, + 0xb0, 0x35, 0x15, 0xd7, 0x18, 0x39, 0xdd, 0xbd, 0x5f, 0x81, 0x4a, 0x10, 0x8a, 0x0c, 0x8c, 0x89, + 0x3a, 0xca, 0x15, 0x90, 0xf7, 0x52, 0x03, 0xdc, 0xb1, 0x1c, 0x1a, 0xa1, 0x6d, 0xc7, 0xdb, 0xac, + 0x0f, 0x5f, 0x83, 0xc5, 0x80, 0xf6, 0xc8, 0x28, 0x92, 0xd8, 0xe4, 0x28, 0x6f, 0x51, 0xbb, 0xee, + 0xfa, 0xd4, 0x05, 0x1e, 0xaa, 0x90, 0x34, 0x2b, 0x44, 0x65, 0x2b, 0x67, 0x63, 0x7e, 0x08, 0xee, + 0xb0, 0x91, 0xec, 0xb2, 0x51, 0x1c, 0xa8, 0xbd, 0xea, 0xf5, 0x42, 0x1f, 0x27, 0x2c, 0x0a, 0xfd, + 0x73, 0x6f, 0x59, 0x23, 0xce, 0xf4, 0xa1, 0x03, 0x2b, 0xde, 0x31, 0xd2, 0x87, 0x5a, 0x18, 0xad, + 0xb1, 0x69, 0x64, 0xb8, 0x0b, 0x16, 0xcd, 0x7c, 0xb1, 0x60, 0x23, 0xee, 0x53, 0xe1, 0xdd, 0x5e, + 0x9f, 0xdb, 0x2c, 0x6e, 0x3f, 0x9e, 0xaa, 0xc5, 0x68, 0x38, 0xd2, 0x9c, 0xa8, 0xec, 0x67, 0xbe, + 0x04, 0x6c, 0x00, 0xd7, 0x6e, 0x02, 0x19, 0x49, 0x86, 0x87, 0x32, 0x12, 0xde, 0x5f, 0xe8, 0x19, + 0x57, 0xae, 0xa4, 0x82, 0x1d, 0xc6, 0xa2, 0xb7, 0x24, 0x1a, 0x51, 0x64, 0xdd, 0xb2, 0x36, 0x92, + 0xec, 0x8d, 0x8c, 0x04, 0x7c, 0x0c, 0x4a, 0x92, 0x8f, 0x84, 0xc4, 0x01, 0x1b, 0x92, 0x30, 0xf6, + 0x2a, 0xda, 0xa9, 0x8a, 0x9a, 0xd6, 0xd0, 0x24, 0xf8, 0x19, 0x58, 0xcd, 0xb2, 0x60, 0x12, 0x85, + 0x44, 0x50, 0xe1, 0x55, 0xd7, 0xe7, 0x36, 0x17, 0x10, 0xcc, 0xb0, 0xd6, 0xcc, 0x08, 0xfc, 0x1a, + 0x2c, 0xf9, 0x04, 0xfb, 0x94, 0xcb, 0xb0, 0x17, 0xfa, 0x44, 0x52, 0xe1, 0x7d, 0xa9, 0x57, 0xb9, + 0x35, 0xcb, 0x96, 0xf5, 0x89, 0x4c, 0x83, 0x48, 0x82, 0x16, 0x7d, 0x92, 0x21, 0x09, 0xf8, 0x4b, + 0x70, 0x37, 0xdd, 0x76, 0xeb, 0x69, 0x98, 0x9e, 0xa9, 0xe4, 0x8b, 0x25, 0xf3, 0x1e, 0xe9, 0x09, + 0xdd, 0xb6, 0x0c, 0xd6, 0xcd, 0x9a, 0x7a, 0xb8, 0xc3, 0xe0, 0x2e, 0x78, 0x9c, 0x8a, 0x9e, 0x86, + 0x5c, 0x8e, 0x48, 0x34, 0x05, 0x62, 0x5d, 0x43, 0x3c, 0xb0, 0x8c, 0x6f, 0x0d, 0xdf, 0x65, 0xa4, + 0x16, 0xd8, 0x48, 0x91, 0x2e, 0x57, 0xa3, 0x0c, 0xd4, 0x63, 0x0d, 0xf5, 0xd0, 0x72, 0x36, 0x26, + 0x8c, 0x68, 0x14, 0x4d, 0xb0, 0x9e, 0x80, 0x45, 0xce, 0x98, 0xc4, 0x31, 0x19, 0x52, 0x91, 0x10, + 0x9f, 0x7a, 0x1b, 0x26, 0x01, 0x28, 0xea, 0x7e, 0x4a, 0x84, 0x3d, 0xb0, 0x12, 0x31, 0x9f, 0x44, + 0xa1, 0x3c, 0xc7, 0x51, 0x17, 0x0b, 0x93, 0x6a, 0xbd, 0x8f, 0xf4, 0x7e, 0x7f, 0xf1, 0x9e, 0x74, + 0xdd, 0xb6, 0x52, 0x6d, 0x46, 0x82, 0x1d, 0x12, 0x91, 0xd8, 0xa7, 0xdc, 0x26, 0x6a, 0xb4, 0x9c, + 0x42, 0xb6, 0xbb, 0x96, 0x04, 0xeb, 0xc0, 0x0d, 0x62, 0x81, 0x39, 0xed, 0x71, 0x2a, 0x06, 0x58, + 0xd5, 0x4a, 0xef, 0xe3, 0x99, 0xe5, 0x2a, 0x88, 0x05, 0x32, 0x12, 0x88, 0x48, 0x0a, 0xbf, 0x03, + 0xcb, 0x83, 0x6d, 0x3c, 0x4a, 0xfa, 0x9c, 0x04, 0x34, 0x0d, 0xa6, 0x9f, 0xe9, 0xfc, 0x33, 0xd3, + 0x01, 0x76, 0xb7, 0x8f, 0x8d, 0x9c, 0x0d, 0xa3, 0xa5, 0xc1, 0x45, 0x82, 0xf2, 0x80, 0x30, 0x36, + 0xe1, 0xea, 0x47, 0x23, 0x21, 0x29, 0xc7, 0x42, 0x12, 0x63, 0x40, 0xef, 0x53, 0x6d, 0xbb, 0xdb, + 0x96, 0xa1, 0x6e, 0xc6, 0x8f, 0x24, 0xd1, 0x96, 0x54, 0x09, 0x67, 0x1c, 0xea, 0x57, 0x65, 0xff, + 0x52, 0xcb, 0x8e, 0x93, 0xc1, 0x65, 0xe1, 0x06, 0x28, 0x5d, 0x70, 0xe8, 0x2d, 0xed, 0xd0, 0xd3, + 0xd3, 0x4d, 0xc6, 0x65, 0xd1, 0x05, 0x29, 0xf8, 0x77, 0xa0, 0x2c, 0x07, 0x3c, 0xec, 0x8d, 0xb3, + 0xd6, 0x73, 0x6d, 0xdc, 0x4f, 0x67, 0x99, 0xa5, 0xa3, 0x85, 0x6c, 0x06, 0x2b, 0xc9, 0xcc, 0x17, + 0xfc, 0x16, 0xb8, 0xa9, 0x1f, 0x5b, 0xb7, 0x10, 0xde, 0xf6, 0x87, 0x45, 0x9b, 0x75, 0xec, 0xb4, + 0x70, 0xa3, 0x25, 0x71, 0x91, 0x00, 0x11, 0xb8, 0x63, 0x73, 0x4c, 0xc2, 0xd9, 0x90, 0xca, 0x01, + 0x1d, 0x09, 0x3c, 0xa4, 0xbc, 0x4f, 0xbd, 0x17, 0x33, 0x53, 0xcd, 0x9a, 0x11, 0x3d, 0x1c, 0x4b, + 0xbe, 0x51, 0x82, 0xf0, 0x3b, 0x70, 0xff, 0x94, 0xf2, 0xb0, 0x77, 0x9e, 0x4d, 0x10, 0x98, 0x48, + 0xec, 0x47, 0x21, 0x8d, 0xa5, 0xf7, 0xc5, 0x4c, 0xe0, 0xbb, 0x46, 0x3e, 0x63, 0xe5, 0x9a, 0xac, + 0x6b, 0x61, 0xb8, 0x0d, 0xf2, 0x3e, 0xf1, 0x7e, 0xa1, 0x21, 0x36, 0x66, 0x26, 0x9b, 0x1a, 0xca, + 0xfb, 0x04, 0x76, 0xc1, 0x0a, 0x3d, 0x93, 0x34, 0x16, 0x2a, 0x88, 0x13, 0xce, 0x4e, 0xc3, 0x80, + 0x72, 0xe1, 0xfd, 0x52, 0xdb, 0x70, 0x66, 0xc1, 0x6c, 0xa6, 0xa2, 0x87, 0x56, 0x12, 0x41, 0x7a, + 0x99, 0x24, 0xe0, 0x6f, 0xc0, 0x72, 0x9a, 0x32, 0x26, 0x1a, 0xfe, 0x4a, 0x4f, 0xf3, 0xb3, 0x59, + 0x1a, 0x1a, 0x46, 0x70, 0x0c, 0x86, 0xdc, 0xe0, 0x12, 0x05, 0x06, 0x60, 0x25, 0x08, 0x85, 0xcf, + 0x4e, 0x29, 0x3f, 0x1f, 0xf7, 0x26, 0xc2, 0xfb, 0x95, 0x5e, 0xc2, 0x8b, 0xaa, 0xe9, 0x8d, 0xab, + 0xd9, 0xde, 0xb8, 0x9a, 0x9c, 0xf4, 0x15, 0x41, 0x54, 0x55, 0x6f, 0x5c, 0x3d, 0x7d, 0x5e, 0x6d, + 0x93, 0x2e, 0x8d, 0xd2, 0x06, 0x06, 0xc1, 0x31, 0x5e, 0x4a, 0x12, 0x95, 0x7f, 0xcd, 0x81, 0xb5, + 0xa9, 0xc5, 0x0e, 0xee, 0x83, 0x82, 0xee, 0xba, 0x72, 0x3a, 0xc8, 0xbf, 0xfc, 0x93, 0x2a, 0x66, + 0x55, 0xb7, 0x5e, 0x1a, 0x67, 0xa3, 0x01, 0x0a, 0xba, 0xe3, 0x5a, 0x06, 0x65, 0xd4, 0x7c, 0xbd, + 0x77, 0xd4, 0x41, 0xdf, 0xe0, 0x83, 0xfd, 0xf6, 0x37, 0xee, 0x0d, 0x58, 0x06, 0x0b, 0xb5, 0x76, + 0xfb, 0xe0, 0x2b, 0x5c, 0xdb, 0xff, 0xc6, 0xcd, 0x6d, 0x14, 0x9c, 0xbc, 0x9b, 0x7f, 0xb6, 0xfa, + 0x76, 0x0f, 0x75, 0x8e, 0x6b, 0x6d, 0x7c, 0xd4, 0x44, 0x6f, 0xf7, 0xea, 0x4d, 0xcd, 0x5c, 0xf9, + 0xc7, 0x1c, 0x58, 0xba, 0x54, 0x50, 0x20, 0x04, 0x73, 0x09, 0x1d, 0xea, 0x89, 0x2e, 0xec, 0xde, + 0x40, 0xea, 0x03, 0x7e, 0x0a, 0x96, 0x45, 0x12, 0xf6, 0x7a, 0x14, 0x77, 0x47, 0x71, 0x10, 0x51, + 0x3c, 0xe2, 0x91, 0x97, 0xb7, 0x1c, 0x4b, 0x66, 0x68, 0x47, 0x8f, 0x1c, 0xf3, 0x48, 0xb5, 0xb0, + 0xd9, 0x72, 0x28, 0xbc, 0x39, 0x9d, 0xe8, 0x4b, 0x99, 0x3a, 0x28, 0x76, 0x20, 0x70, 0xb3, 0xde, + 0x1d, 0x10, 0x49, 0x2a, 0xbf, 0x03, 0xa5, 0x6c, 0x18, 0xc3, 0x8f, 0xc1, 0xa2, 0xca, 0xaf, 0x38, + 0x0a, 0x87, 0xa1, 0xd4, 0x3a, 0x73, 0xa6, 0x19, 0x56, 0xd4, 0xb6, 0x22, 0x2a, 0x75, 0xaf, 0x01, + 0xcc, 0x70, 0xa5, 0x3d, 0x7f, 0x7e, 0x56, 0x4e, 0x76, 0xc7, 0x20, 0xb6, 0xd7, 0xaf, 0xfc, 0x5b, + 0x0e, 0x2c, 0x5d, 0x0a, 0x78, 0xd8, 0x01, 0xce, 0x38, 0x67, 0xe4, 0x34, 0xe4, 0xcb, 0x6b, 0xe6, + 0x8c, 0xea, 0x38, 0x79, 0x8c, 0x91, 0xe0, 0x2a, 0xb8, 0x39, 0x60, 0x42, 0x0a, 0x2f, 0xaf, 0x2d, + 0x63, 0x3e, 0x2a, 0x5b, 0xc0, 0x19, 0xeb, 0xfd, 0x08, 0x94, 0xd3, 0x04, 0xac, 0x6b, 0x90, 0x56, + 0xee, 0xa0, 0x92, 0x25, 0xea, 0xa2, 0x55, 0xf9, 0x43, 0x0e, 0xe4, 0xeb, 0x35, 0xe8, 0x81, 0x79, + 0x12, 0x04, 0xaa, 0xbb, 0xb6, 0xf6, 0x49, 0x3f, 0xe1, 0x01, 0x28, 0xc9, 0x48, 0x4c, 0xb2, 0x5e, + 0xfe, 0x42, 0x2e, 0x9d, 0x7a, 0x78, 0xd1, 0x59, 0xa2, 0xd3, 0x3e, 0x1a, 0xcf, 0xba, 0x28, 0x23, + 0x31, 0x9e, 0xd6, 0x0e, 0x58, 0xe2, 0xf4, 0xef, 0x47, 0x54, 0x4c, 0x0c, 0x3d, 0x37, 0xb3, 0xf8, + 0x59, 0x89, 0xf4, 0x48, 0xf5, 0x08, 0x14, 0xb5, 0xfe, 0x00, 0x8b, 0x30, 0xa0, 0xfa, 0xf4, 0xe8, + 0x20, 0x60, 0x48, 0x47, 0x61, 0x40, 0x2b, 0xff, 0x55, 0x01, 0xcb, 0x57, 0x92, 0x06, 0x84, 0xa0, + 0xa0, 0xab, 0x90, 0x59, 0xa2, 0xfe, 0x0d, 0xff, 0x21, 0x07, 0x56, 0x4d, 0x67, 0x4c, 0xcf, 0xa4, + 0xea, 0xf2, 0x06, 0xdf, 0xeb, 0xd3, 0xa6, 0x5d, 0xe8, 0xd7, 0xd7, 0x4e, 0x4d, 0x55, 0xdd, 0x46, + 0x2b, 0x32, 0x8f, 0x49, 0x54, 0x1b, 0xc9, 0x01, 0xe3, 0xe1, 0xf7, 0x7a, 0x1d, 0xfa, 0xbc, 0x6a, + 0xd9, 0x76, 0x6f, 0xa0, 0x65, 0x6a, 0x39, 0x15, 0xd3, 0xf7, 0x6a, 0x70, 0xea, 0x6c, 0xfa, 0x3c, + 0xf1, 0xad, 0x89, 0x7e, 0xd2, 0xd9, 0xbc, 0xe6, 0x89, 0xff, 0xa3, 0xb3, 0x51, 0x83, 0x90, 0x80, + 0x5b, 0xdf, 0x87, 0xc9, 0x49, 0x18, 0x6b, 0x0b, 0x17, 0xb7, 0x5f, 0x5f, 0x5f, 0xfd, 0xb7, 0x5a, + 0xde, 0x1e, 0xc5, 0x32, 0xda, 0x2c, 0x30, 0xfc, 0x2d, 0x58, 0x88, 0xc2, 0xfe, 0x40, 0x0a, 0x49, + 0x13, 0x7d, 0xb6, 0x9f, 0x1c, 0x8c, 0xaf, 0xa1, 0xa5, 0x9d, 0x42, 0x5c, 0x55, 0x34, 0x81, 0x87, + 0x01, 0x98, 0x57, 0x39, 0x22, 0x60, 0x7d, 0x7b, 0x3b, 0xb0, 0x7b, 0x7d, 0x4d, 0x0d, 0x03, 0x70, + 0x55, 0x4f, 0x0a, 0x0d, 0x43, 0x50, 0x14, 0x92, 0xf8, 0x27, 0x01, 0x0f, 0x4f, 0x29, 0xd7, 0x67, + 0xef, 0xe2, 0x76, 0xf3, 0xfa, 0x9a, 0x8e, 0x26, 0x20, 0x19, 0x35, 0x59, 0x6c, 0xc8, 0x01, 0x60, + 0x09, 0x8d, 0x7d, 0x1a, 0x8b, 0x91, 0xd0, 0xc7, 0xf7, 0xe2, 0xf6, 0xe1, 0xf5, 0x35, 0x1d, 0x24, + 0x34, 0xae, 0x6b, 0x8c, 0x5a, 0x5f, 0x45, 0xee, 0x95, 0xb5, 0x65, 0xb4, 0x54, 0xfe, 0x25, 0x07, + 0x9e, 0xfc, 0xb8, 0x4f, 0x21, 0x13, 0xa7, 0x3b, 0x2c, 0x38, 0x57, 0xe7, 0xe9, 0x21, 0x39, 0xc3, + 0x69, 0xb0, 0x77, 0xcf, 0x55, 0x47, 0xa7, 0x42, 0xaf, 0x8c, 0x96, 0x86, 0xe4, 0x2c, 0x65, 0x55, + 0x64, 0xb8, 0x0d, 0xd6, 0x48, 0x14, 0xb1, 0x77, 0x38, 0x21, 0x5c, 0x86, 0x24, 0xc2, 0x43, 0x2a, + 0x04, 0xe9, 0x53, 0x1d, 0x85, 0x0e, 0x5a, 0xd1, 0x83, 0x87, 0x66, 0xec, 0x8d, 0x19, 0x82, 0x1b, + 0xa0, 0x9c, 0x10, 0xff, 0x04, 0x13, 0x61, 0xb1, 0xe7, 0x34, 0x6f, 0x51, 0x11, 0x6b, 0x42, 0xe3, + 0x56, 0xfe, 0x7d, 0x1e, 0x3c, 0xfd, 0xb0, 0x78, 0x54, 0x29, 0x30, 0x3d, 0x57, 0xdb, 0x14, 0x68, + 0x3f, 0x55, 0xda, 0xd0, 0x57, 0x4f, 0x79, 0x3d, 0x77, 0xfd, 0x1b, 0xbe, 0x00, 0xf3, 0x69, 0xf6, + 0x5a, 0x98, 0x95, 0xbd, 0x52, 0x4e, 0x95, 0xb6, 0x12, 0x22, 0x07, 0x38, 0xe1, 0xb4, 0x17, 0x9e, + 0xe9, 0xf9, 0x2e, 0x20, 0xa0, 0x48, 0x87, 0x9a, 0x02, 0xef, 0x81, 0x85, 0x1e, 0x09, 0x23, 0xac, + 0xec, 0x6d, 0xb3, 0x9a, 0xa3, 0x08, 0x6a, 0x87, 0xe0, 0x53, 0xb0, 0xa4, 0x1a, 0xe9, 0x91, 0xc0, + 0x2c, 0xc6, 0x94, 0x73, 0xc6, 0x75, 0xc0, 0x2c, 0xa0, 0xb2, 0x21, 0x1f, 0xc4, 0x4d, 0x45, 0x84, + 0xbf, 0x00, 0x5e, 0x18, 0xfb, 0xd1, 0x28, 0xa0, 0x78, 0x40, 0x89, 0x6a, 0x5d, 0x70, 0x18, 0x63, + 0x7f, 0x40, 0xfd, 0x13, 0xef, 0x96, 0x2e, 0x16, 0x6b, 0x76, 0x7c, 0xd7, 0x0c, 0xef, 0xc5, 0x75, + 0x35, 0x08, 0x5f, 0x81, 0xf5, 0x54, 0x30, 0xdd, 0xb4, 0x2b, 0x00, 0x40, 0x03, 0xdc, 0xb7, 0x7c, + 0x76, 0x0f, 0x2f, 0xe1, 0xfc, 0x3e, 0x07, 0x3e, 0x4a, 0x81, 0x48, 0x10, 0x84, 0xca, 0x08, 0x24, + 0xba, 0x8a, 0x55, 0xd4, 0x9d, 0xd3, 0xef, 0xfe, 0x5c, 0x19, 0xb6, 0xba, 0x67, 0xe6, 0x50, 0x1b, + 0x4f, 0xe1, 0xe2, 0x3c, 0x9b, 0xb1, 0xe4, 0xe7, 0xe8, 0x51, 0xf8, 0x7e, 0x2e, 0xf8, 0xcf, 0x39, + 0xf0, 0xe0, 0xb2, 0x59, 0xba, 0x2c, 0x38, 0x9f, 0xac, 0xa3, 0xa4, 0x1d, 0xe0, 0xab, 0x9f, 0x72, + 0x1d, 0x99, 0x38, 0x42, 0x77, 0x2f, 0x1a, 0x5b, 0xd1, 0xd2, 0xb9, 0xfd, 0x0d, 0xb8, 0x9f, 0x5a, + 0x55, 0x32, 0x3c, 0x4a, 0x84, 0xe4, 0x94, 0x0c, 0x95, 0x7f, 0xe8, 0x80, 0xf1, 0xe6, 0xf5, 0x6e, + 0x79, 0x96, 0xa7, 0xc3, 0x8e, 0x2d, 0xc7, 0x41, 0x5c, 0x53, 0xe3, 0xf0, 0x6f, 0xc1, 0x83, 0x8c, + 0x7c, 0xc0, 0xde, 0xc5, 0x13, 0x84, 0x80, 0xc6, 0xe7, 0x9e, 0xa3, 0x01, 0xee, 0x8e, 0x01, 0x1a, + 0x63, 0x96, 0x83, 0xb8, 0x41, 0xe3, 0xf3, 0x0a, 0x02, 0x1f, 0x7f, 0x88, 0x99, 0xa1, 0x0b, 0xe6, + 0x4e, 0xe8, 0xb9, 0x8d, 0x2c, 0xf5, 0x53, 0x35, 0x30, 0xa7, 0xea, 0xa4, 0x61, 0x9a, 0x40, 0x64, + 0x3e, 0xbe, 0xcc, 0xbf, 0xcc, 0x55, 0xfe, 0x27, 0xff, 0xbe, 0xa0, 0xcd, 0x96, 0xad, 0x3f, 0x3d, + 0x68, 0x6f, 0x7e, 0x70, 0xd0, 0x5e, 0x88, 0xc9, 0xb9, 0xd9, 0x31, 0x59, 0x98, 0x16, 0x93, 0xb3, + 0x9d, 0xe8, 0xd6, 0xff, 0x97, 0x13, 0x55, 0x4e, 0xc0, 0xda, 0xd4, 0x2a, 0x7d, 0x4d, 0xe3, 0x7e, + 0x0c, 0x16, 0x55, 0xba, 0x97, 0xa4, 0x8f, 0x23, 0x1a, 0xf7, 0xe5, 0x40, 0x1b, 0xab, 0x8c, 0x4a, + 0x43, 0x72, 0xd6, 0x21, 0xfd, 0xb6, 0xa6, 0x55, 0xfe, 0x29, 0x07, 0xbc, 0x1f, 0xab, 0xd6, 0xd7, + 0x54, 0xf8, 0x18, 0x94, 0xec, 0x9d, 0xa8, 0x64, 0x27, 0x76, 0x6f, 0x16, 0x50, 0xd1, 0xd0, 0x3a, + 0x8a, 0x34, 0x65, 0x4e, 0x85, 0x29, 0x73, 0x8a, 0xc0, 0xed, 0xe9, 0x65, 0xfd, 0xcf, 0x62, 0x81, + 0xff, 0xce, 0x83, 0x95, 0x29, 0xb5, 0x5d, 0xc5, 0x43, 0x40, 0xbb, 0xa3, 0xbe, 0x6d, 0xd3, 0xcd, + 0x07, 0xec, 0x00, 0x4f, 0x61, 0xc6, 0xa3, 0x61, 0x97, 0x72, 0xcc, 0x7a, 0x98, 0x48, 0xc9, 0xc3, + 0xee, 0x48, 0xd5, 0x3b, 0xd3, 0xa1, 0xde, 0xbb, 0xe2, 0xc3, 0x7b, 0xb1, 0xfc, 0xe2, 0x73, 0x7b, + 0x3d, 0x30, 0x24, 0x67, 0xfb, 0x5a, 0xf6, 0xa0, 0x57, 0x1b, 0x4b, 0xc2, 0xb7, 0xe0, 0xee, 0x25, + 0xd4, 0x38, 0x66, 0x52, 0x3b, 0x8d, 0xb0, 0xad, 0xe6, 0x7b, 0x61, 0x6f, 0x67, 0x61, 0x27, 0xa2, + 0xf0, 0x3b, 0x70, 0xff, 0x22, 0xae, 0x2d, 0xe3, 0x98, 0x9e, 0xd2, 0x58, 0x0a, 0xdb, 0x46, 0xbe, + 0x17, 0xda, 0xcb, 0x40, 0xdb, 0x4a, 0xdf, 0xd4, 0xc2, 0x53, 0xcc, 0x7b, 0x73, 0x8a, 0x79, 0xff, + 0x90, 0x07, 0x0f, 0xdf, 0xdf, 0xd0, 0x5c, 0x73, 0x57, 0xdf, 0x81, 0x79, 0x9f, 0xc5, 0x92, 0x9e, + 0x49, 0x7d, 0x08, 0x5d, 0xdc, 0xfe, 0xcd, 0x4f, 0xdd, 0x61, 0x55, 0xd5, 0x37, 0xad, 0x1b, 0x25, + 0x28, 0xd5, 0xf6, 0x61, 0xce, 0xbb, 0x41, 0x41, 0x29, 0x2b, 0x0e, 0x97, 0x40, 0xf1, 0x78, 0xff, + 0xe8, 0xb0, 0x59, 0xdf, 0x7b, 0xb5, 0xd7, 0x6c, 0xb8, 0x37, 0xe0, 0x1a, 0x58, 0xfe, 0xea, 0x45, + 0x1d, 0x77, 0x50, 0xad, 0xde, 0xc4, 0xf5, 0x83, 0xfd, 0x4e, 0xf3, 0xeb, 0x8e, 0x9b, 0x83, 0x25, + 0xe0, 0xbc, 0x46, 0x87, 0x75, 0xbc, 0xb3, 0xb7, 0xef, 0xe6, 0xe1, 0x1d, 0xb0, 0x52, 0x6f, 0x1f, + 0x1c, 0x37, 0x2e, 0xb1, 0xcd, 0xc1, 0x5b, 0x20, 0xbf, 0xf3, 0xc2, 0x2d, 0xec, 0x00, 0xe0, 0xa4, + 0x77, 0x2a, 0x95, 0x4f, 0x81, 0x7b, 0xf9, 0xba, 0x44, 0xd9, 0x34, 0x7d, 0x84, 0xb1, 0x36, 0xb5, + 0x9f, 0x1b, 0x2d, 0xb0, 0x36, 0xf5, 0x01, 0xe8, 0xea, 0x4c, 0xe7, 0xc1, 0xdc, 0xc1, 0xab, 0x57, + 0x6e, 0x0e, 0x16, 0xc1, 0x7c, 0xa3, 0xf9, 0xaa, 0x76, 0xdc, 0xee, 0xb8, 0x79, 0x08, 0xc0, 0xad, + 0xa3, 0x0e, 0xda, 0xab, 0x77, 0xdc, 0xb9, 0x8d, 0xa7, 0x00, 0xa8, 0x0c, 0x67, 0x2f, 0x44, 0x1c, + 0x50, 0xd8, 0x3f, 0xd8, 0x6f, 0xba, 0x37, 0xe0, 0x22, 0x00, 0x6f, 0x8e, 0xf5, 0xdd, 0x44, 0xa7, + 0x7d, 0xe4, 0xe6, 0x36, 0x3e, 0x01, 0xcb, 0x57, 0xde, 0x58, 0x14, 0xbb, 0x5e, 0xd4, 0x0d, 0xf5, + 0xab, 0x75, 0x74, 0xb0, 0xef, 0xe6, 0x36, 0xb6, 0xc1, 0xd2, 0xa5, 0xcb, 0x50, 0x08, 0xc1, 0x62, + 0xe3, 0x00, 0xef, 0x1f, 0x74, 0xf0, 0xf1, 0xe1, 0x6b, 0x54, 0x6b, 0x28, 0xfc, 0x22, 0x98, 0x4f, + 0x3f, 0x72, 0xad, 0x82, 0x93, 0x73, 0xf3, 0xad, 0x82, 0x93, 0x77, 0xe7, 0x5a, 0x05, 0x67, 0xce, + 0x2d, 0xb4, 0x0a, 0xce, 0x67, 0xee, 0xf3, 0x56, 0xc1, 0xb9, 0xeb, 0x56, 0x5a, 0x05, 0xe7, 0xa1, + 0xfb, 0xa8, 0x55, 0x70, 0x80, 0x5b, 0x6c, 0x15, 0x9c, 0xa2, 0x5b, 0x6a, 0x15, 0x9c, 0x25, 0xd7, + 0x6d, 0x15, 0x1c, 0xd7, 0x5d, 0x6e, 0x15, 0x1c, 0xe8, 0xae, 0xb4, 0x0a, 0xce, 0x8a, 0xbb, 0xda, + 0x2a, 0x38, 0xab, 0xee, 0x5a, 0xab, 0xe0, 0xac, 0xb9, 0xb7, 0x5b, 0x05, 0xe7, 0x8e, 0xeb, 0xb5, + 0x0a, 0xce, 0x03, 0xf7, 0x61, 0xab, 0xe0, 0xfc, 0xdc, 0xfd, 0xa2, 0x55, 0x70, 0x9e, 0xb8, 0x4f, + 0x5b, 0x05, 0xe7, 0xa9, 0xfb, 0x49, 0xab, 0xe0, 0x7c, 0xe2, 0x6e, 0x22, 0x38, 0x0c, 0xcf, 0x28, + 0x37, 0xe5, 0x42, 0xdf, 0xaa, 0x53, 0x8e, 0x56, 0x0c, 0x8d, 0x53, 0x7d, 0x21, 0x6e, 0x89, 0x6b, + 0xe9, 0x8b, 0x8f, 0xb9, 0x15, 0x36, 0x12, 0x02, 0x8d, 0x1f, 0x82, 0x8c, 0x8c, 0x7e, 0x52, 0x35, + 0x82, 0x02, 0xdd, 0xce, 0xb2, 0xe2, 0x71, 0xbd, 0x43, 0x4f, 0xd4, 0xf9, 0xda, 0x27, 0x5c, 0xb5, + 0x07, 0x92, 0x46, 0x74, 0x48, 0xa5, 0xbe, 0xfc, 0x12, 0xfa, 0x1e, 0x8f, 0xf4, 0x7a, 0x61, 0x1c, + 0xca, 0x73, 0x54, 0x54, 0x27, 0x55, 0xab, 0x0e, 0x2d, 0xf3, 0x60, 0x72, 0xb9, 0x1d, 0xd0, 0x88, + 0x9c, 0xa3, 0xb2, 0x51, 0x69, 0xef, 0x14, 0x50, 0xfa, 0xb0, 0x65, 0x2e, 0x23, 0xf5, 0x19, 0xfe, + 0xc2, 0x5c, 0x51, 0x49, 0x04, 0x02, 0x8f, 0x02, 0x81, 0x55, 0x6f, 0x8c, 0x96, 0xc5, 0x15, 0xc0, + 0xdb, 0x16, 0x41, 0x8d, 0xe8, 0xec, 0x8f, 0x87, 0x6c, 0x14, 0x4b, 0x04, 0xb5, 0xa0, 0xa0, 0xf8, + 0xe4, 0xa5, 0xc0, 0x82, 0xe0, 0xdf, 0xbe, 0x93, 0xa8, 0x22, 0x29, 0x1f, 0xa6, 0xef, 0x07, 0x01, + 0x27, 0x61, 0x8c, 0xd3, 0xe7, 0x73, 0xb4, 0x9a, 0xda, 0xc4, 0x5a, 0xb0, 0x4b, 0xa4, 0x3f, 0x40, + 0x5e, 0xf6, 0x0b, 0xab, 0x20, 0xa4, 0xb1, 0xe4, 0x21, 0x15, 0x68, 0xed, 0xca, 0x88, 0x6a, 0x13, + 0x36, 0x7e, 0x9f, 0x03, 0xa5, 0xec, 0x33, 0xd2, 0xff, 0xe5, 0x7d, 0xca, 0x21, 0x58, 0x15, 0xa3, + 0xae, 0xf0, 0x79, 0xd8, 0xa5, 0x01, 0xe6, 0x34, 0x7d, 0xf2, 0x32, 0xc9, 0xea, 0xc1, 0xd4, 0x64, + 0x85, 0x2c, 0x17, 0x5a, 0x99, 0x88, 0xa6, 0x34, 0xb1, 0xf1, 0x6b, 0x50, 0xcc, 0xdc, 0xe8, 0xa9, + 0x53, 0x8b, 0xa0, 0x3e, 0xa7, 0xf6, 0x0a, 0xdf, 0xac, 0x07, 0x18, 0x92, 0xbe, 0xb5, 0xbf, 0x07, + 0x16, 0x82, 0x58, 0x98, 0xd7, 0x15, 0x7b, 0x1d, 0xe5, 0x04, 0xb1, 0xd0, 0x0f, 0x2b, 0xcf, 0xd6, + 0x81, 0x93, 0x22, 0xc3, 0x55, 0xe0, 0xa6, 0x77, 0x87, 0xe9, 0x8d, 0xa3, 0x7b, 0x63, 0x67, 0xf3, + 0x3f, 0x7e, 0x78, 0x98, 0xfb, 0xcf, 0x1f, 0x1e, 0xe6, 0xfe, 0xf8, 0xc3, 0xc3, 0xdc, 0xb7, 0x15, + 0x33, 0x5f, 0xf3, 0x2f, 0x83, 0xad, 0x0b, 0xff, 0x5b, 0xe8, 0xde, 0xd2, 0x05, 0xe3, 0xc5, 0xff, + 0x06, 0x00, 0x00, 0xff, 0xff, 0x0a, 0x9b, 0x8d, 0xca, 0x40, 0x21, 0x00, 0x00, } func (m *MeshConfig) Marshal() (dAtA []byte, err error) { @@ -3489,6 +3665,58 @@ func (m *MeshConfig_ExtensionProvider_Opencensus) MarshalToSizedBuffer(dAtA []by } return len(dAtA) - i, nil } +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.PackAsBytes { + i-- + if m.PackAsBytes { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x18 + } + if m.AllowPartialMessage { + i-- + if m.AllowPartialMessage { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x10 + } + if m.MaxRequestBytes != 0 { + i = encodeVarintConfig(dAtA, i, uint64(m.MaxRequestBytes)) + i-- + dAtA[i] = 0x8 + } + return len(dAtA) - i, nil +} + func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -3513,6 +3741,58 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Ma i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.IncludeRequestBodyInCheck != nil { + { + size, err := m.IncludeRequestBodyInCheck.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintConfig(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x62 + } + if len(m.IncludeAdditionalHeadersInCheck) > 0 { + for k := range m.IncludeAdditionalHeadersInCheck { + v := m.IncludeAdditionalHeadersInCheck[k] + baseI := i + i -= len(v) + copy(dAtA[i:], v) + i = encodeVarintConfig(dAtA, i, uint64(len(v))) + i-- + dAtA[i] = 0x12 + i -= len(k) + copy(dAtA[i:], k) + i = encodeVarintConfig(dAtA, i, uint64(len(k))) + i-- + dAtA[i] = 0xa + i = encodeVarintConfig(dAtA, i, uint64(baseI-i)) + i-- + dAtA[i] = 0x5a + } + } + if len(m.IncludeRequestHeadersInCheck) > 0 { + for iNdEx := len(m.IncludeRequestHeadersInCheck) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.IncludeRequestHeadersInCheck[iNdEx]) + copy(dAtA[i:], m.IncludeRequestHeadersInCheck[iNdEx]) + i = encodeVarintConfig(dAtA, i, uint64(len(m.IncludeRequestHeadersInCheck[iNdEx]))) + i-- + dAtA[i] = 0x52 + } + } + if m.Timeout != nil { + { + size, err := m.Timeout.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintConfig(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x4a + } if len(m.HeadersToDownstreamOnDeny) > 0 { for iNdEx := len(m.HeadersToDownstreamOnDeny) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.HeadersToDownstreamOnDeny[iNdEx]) @@ -3603,6 +3883,30 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) Ma i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if m.IncludeRequestBodyInCheck != nil { + { + size, err := m.IncludeRequestBodyInCheck.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintConfig(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x32 + } + if m.Timeout != nil { + { + size, err := m.Timeout.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintConfig(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x2a + } if len(m.StatusOnError) > 0 { i -= len(m.StatusOnError) copy(dAtA[i:], m.StatusOnError) @@ -3882,20 +4186,20 @@ func (m *MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider) MarshalToS dAtA[i] = 0x20 } if len(m.Context) > 0 { - dAtA29 := make([]byte, len(m.Context)*10) - var j28 int + dAtA33 := make([]byte, len(m.Context)*10) + var j32 int for _, num := range m.Context { for num >= 1<<7 { - dAtA29[j28] = uint8(uint64(num)&0x7f | 0x80) + dAtA33[j32] = uint8(uint64(num)&0x7f | 0x80) num >>= 7 - j28++ + j32++ } - dAtA29[j28] = uint8(num) - j28++ + dAtA33[j32] = uint8(num) + j32++ } - i -= j28 - copy(dAtA[i:], dAtA29[:j28]) - i = encodeVarintConfig(dAtA, i, uint64(j28)) + i -= j32 + copy(dAtA[i:], dAtA33[:j32]) + i = encodeVarintConfig(dAtA, i, uint64(j32)) i-- dAtA[i] = 0x1a } @@ -3973,20 +4277,20 @@ func (m *ConfigSource) MarshalToSizedBuffer(dAtA []byte) (int, error) { copy(dAtA[i:], m.XXX_unrecognized) } if len(m.SubscribedResources) > 0 { - dAtA31 := make([]byte, len(m.SubscribedResources)*10) - var j30 int + dAtA35 := make([]byte, len(m.SubscribedResources)*10) + var j34 int for _, num := range m.SubscribedResources { for num >= 1<<7 { - dAtA31[j30] = uint8(uint64(num)&0x7f | 0x80) + dAtA35[j34] = uint8(uint64(num)&0x7f | 0x80) num >>= 7 - j30++ + j34++ } - dAtA31[j30] = uint8(num) - j30++ + dAtA35[j34] = uint8(num) + j34++ } - i -= j30 - copy(dAtA[i:], dAtA31[:j30]) - i = encodeVarintConfig(dAtA, i, uint64(j30)) + i -= j34 + copy(dAtA[i:], dAtA35[:j34]) + i = encodeVarintConfig(dAtA, i, uint64(j34)) i-- dAtA[i] = 0x1a } @@ -4493,6 +4797,27 @@ func (m *MeshConfig_ExtensionProvider_Opencensus) Size() (n int) { } return n } +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.MaxRequestBytes != 0 { + n += 1 + sovConfig(uint64(m.MaxRequestBytes)) + } + if m.AllowPartialMessage { + n += 2 + } + if m.PackAsBytes { + n += 2 + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Size() (n int) { if m == nil { return 0 @@ -4535,6 +4860,28 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Si n += 1 + l + sovConfig(uint64(l)) } } + if m.Timeout != nil { + l = m.Timeout.Size() + n += 1 + l + sovConfig(uint64(l)) + } + if len(m.IncludeRequestHeadersInCheck) > 0 { + for _, s := range m.IncludeRequestHeadersInCheck { + l = len(s) + n += 1 + l + sovConfig(uint64(l)) + } + } + if len(m.IncludeAdditionalHeadersInCheck) > 0 { + for k, v := range m.IncludeAdditionalHeadersInCheck { + _ = k + _ = v + mapEntrySize := 1 + len(k) + sovConfig(uint64(len(k))) + 1 + len(v) + sovConfig(uint64(len(v))) + n += mapEntrySize + 1 + sovConfig(uint64(mapEntrySize)) + } + } + if m.IncludeRequestBodyInCheck != nil { + l = m.IncludeRequestBodyInCheck.Size() + n += 1 + l + sovConfig(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -4561,6 +4908,14 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) Si if l > 0 { n += 1 + l + sovConfig(uint64(l)) } + if m.Timeout != nil { + l = m.Timeout.Size() + n += 1 + l + sovConfig(uint64(l)) + } + if m.IncludeRequestBodyInCheck != nil { + l = m.IncludeRequestBodyInCheck.Size() + n += 1 + l + sovConfig(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -7090,7 +7445,7 @@ func (m *MeshConfig_ExtensionProvider) Unmarshal(dAtA []byte) error { } return nil } -func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Unmarshal(dAtA []byte) error { +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -7113,17 +7468,17 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Un fieldNum := int32(wire >> 3) wireType := int(wire & 0x7) if wireType == 4 { - return fmt.Errorf("proto: EnvoyExternalAuthorizationHttpProvider: wiretype end group for non-group") + return fmt.Errorf("proto: EnvoyExternalAuthorizationRequestBody: wiretype end group for non-group") } if fieldNum <= 0 { - return fmt.Errorf("proto: EnvoyExternalAuthorizationHttpProvider: illegal tag %d (wire type %d)", fieldNum, wire) + return fmt.Errorf("proto: EnvoyExternalAuthorizationRequestBody: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Service", wireType) + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field MaxRequestBytes", wireType) } - var stringLen uint64 + m.MaxRequestBytes = 0 for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowConfig @@ -7133,29 +7488,16 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Un } b := dAtA[iNdEx] iNdEx++ - stringLen |= uint64(b&0x7F) << shift + m.MaxRequestBytes |= uint32(b&0x7F) << shift if b < 0x80 { break } } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthConfig - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthConfig - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Service = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex case 2: if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field AllowPartialMessage", wireType) } - m.Port = 0 + var v int for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowConfig @@ -7165,16 +7507,17 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Un } b := dAtA[iNdEx] iNdEx++ - m.Port |= uint32(b&0x7F) << shift + v |= int(b&0x7F) << shift if b < 0x80 { break } } + m.AllowPartialMessage = bool(v != 0) case 3: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field PathPrefix", wireType) + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field PackAsBytes", wireType) } - var stringLen uint64 + var v int for shift := uint(0); ; shift += 7 { if shift >= 64 { return ErrIntOverflowConfig @@ -7184,14 +7527,136 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Un } b := dAtA[iNdEx] iNdEx++ - stringLen |= uint64(b&0x7F) << shift + v |= int(b&0x7F) << shift if b < 0x80 { break } } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthConfig + m.PackAsBytes = bool(v != 0) + default: + iNdEx = preIndex + skippy, err := skipConfig(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthConfig + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: EnvoyExternalAuthorizationHttpProvider: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: EnvoyExternalAuthorizationHttpProvider: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Service", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthConfig + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthConfig + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Service = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType) + } + m.Port = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.Port |= uint32(b&0x7F) << shift + if b < 0x80 { + break + } + } + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field PathPrefix", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthConfig } postIndex := iNdEx + intStringLen if postIndex < 0 { @@ -7350,6 +7815,237 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) Un } m.HeadersToDownstreamOnDeny = append(m.HeadersToDownstreamOnDeny, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 9: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Timeout", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthConfig + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthConfig + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Timeout == nil { + m.Timeout = &types.Duration{} + } + if err := m.Timeout.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 10: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IncludeRequestHeadersInCheck", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthConfig + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthConfig + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.IncludeRequestHeadersInCheck = append(m.IncludeRequestHeadersInCheck, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex + case 11: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IncludeAdditionalHeadersInCheck", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthConfig + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthConfig + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.IncludeAdditionalHeadersInCheck == nil { + m.IncludeAdditionalHeadersInCheck = make(map[string]string) + } + var mapkey string + var mapvalue string + for iNdEx < postIndex { + entryPreIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + if fieldNum == 1 { + var stringLenmapkey uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLenmapkey |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLenmapkey := int(stringLenmapkey) + if intStringLenmapkey < 0 { + return ErrInvalidLengthConfig + } + postStringIndexmapkey := iNdEx + intStringLenmapkey + if postStringIndexmapkey < 0 { + return ErrInvalidLengthConfig + } + if postStringIndexmapkey > l { + return io.ErrUnexpectedEOF + } + mapkey = string(dAtA[iNdEx:postStringIndexmapkey]) + iNdEx = postStringIndexmapkey + } else if fieldNum == 2 { + var stringLenmapvalue uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLenmapvalue |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLenmapvalue := int(stringLenmapvalue) + if intStringLenmapvalue < 0 { + return ErrInvalidLengthConfig + } + postStringIndexmapvalue := iNdEx + intStringLenmapvalue + if postStringIndexmapvalue < 0 { + return ErrInvalidLengthConfig + } + if postStringIndexmapvalue > l { + return io.ErrUnexpectedEOF + } + mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue]) + iNdEx = postStringIndexmapvalue + } else { + iNdEx = entryPreIndex + skippy, err := skipConfig(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthConfig + } + if (iNdEx + skippy) > postIndex { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + m.IncludeAdditionalHeadersInCheck[mapkey] = mapvalue + iNdEx = postIndex + case 12: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IncludeRequestBodyInCheck", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthConfig + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthConfig + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.IncludeRequestBodyInCheck == nil { + m.IncludeRequestBodyInCheck = &MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody{} + } + if err := m.IncludeRequestBodyInCheck.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipConfig(dAtA[iNdEx:]) @@ -7504,6 +8200,78 @@ func (m *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) Un } m.StatusOnError = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 5: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Timeout", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthConfig + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthConfig + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Timeout == nil { + m.Timeout = &types.Duration{} + } + if err := m.Timeout.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 6: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IncludeRequestBodyInCheck", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowConfig + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthConfig + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthConfig + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.IncludeRequestBodyInCheck == nil { + m.IncludeRequestBodyInCheck = &MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody{} + } + if err := m.IncludeRequestBodyInCheck.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipConfig(dAtA[iNdEx:]) diff --git a/python/istio_api/mesh/v1alpha1/config_pb2.py b/python/istio_api/mesh/v1alpha1/config_pb2.py index 9b9afe8dd28..a08648b7a7e 100644 --- a/python/istio_api/mesh/v1alpha1/config_pb2.py +++ b/python/istio_api/mesh/v1alpha1/config_pb2.py @@ -26,7 +26,7 @@ package='istio.mesh.v1alpha1', syntax='proto3', serialized_options=_b('Z\032istio.io/api/mesh/v1alpha1'), - serialized_pb=_b('\n\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a\x34k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto\"\xa6\x36\n\nMeshConfig\x12*\n\x11proxy_listen_port\x18\x04 \x01(\x05R\x0fproxyListenPort\x12&\n\x0fproxy_http_port\x18\x05 \x01(\x05R\rproxyHttpPort\x12\x42\n\x0f\x63onnect_timeout\x18\x06 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x63onnectTimeout\x12W\n\x1aprotocol_detection_timeout\x18* \x01(\x0b\x32\x19.google.protobuf.DurationR\x18protocolDetectionTimeout\x12o\n\rtcp_keepalive\x18\x1c \x01(\x0b\x32J.istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveR\x0ctcpKeepalive\x12#\n\ringress_class\x18\x07 \x01(\tR\x0cingressClass\x12\'\n\x0fingress_service\x18\x08 \x01(\tR\x0eingressService\x12m\n\x17ingress_controller_mode\x18\t \x01(\x0e\x32\x35.istio.mesh.v1alpha1.MeshConfig.IngressControllerModeR\x15ingressControllerMode\x12)\n\x10ingress_selector\x18\x34 \x01(\tR\x0fingressSelector\x12%\n\x0e\x65nable_tracing\x18\x0c \x01(\x08R\renableTracing\x12&\n\x0f\x61\x63\x63\x65ss_log_file\x18\r \x01(\tR\raccessLogFile\x12*\n\x11\x61\x63\x63\x65ss_log_format\x18\x18 \x01(\tR\x0f\x61\x63\x63\x65ssLogFormat\x12\x61\n\x13\x61\x63\x63\x65ss_log_encoding\x18\x1b \x01(\x0e\x32\x31.istio.mesh.v1alpha1.MeshConfig.AccessLogEncodingR\x11\x61\x63\x63\x65ssLogEncoding\x12\x44\n\x1f\x65nable_envoy_access_log_service\x18( \x01(\x08R\x1b\x65nableEnvoyAccessLogService\x12;\n\x1a\x64isable_envoy_listener_log\x18\x38 \x01(\x08R\x17\x64isableEnvoyListenerLog\x12G\n\x0e\x64\x65\x66\x61ult_config\x18\x0e \x01(\x0b\x32 .istio.mesh.v1alpha1.ProxyConfigR\rdefaultConfig\x12m\n\x17outbound_traffic_policy\x18\x11 \x01(\x0b\x32\x35.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicyR\x15outboundTrafficPolicy\x12H\n\x0e\x63onfig_sources\x18\x16 \x03(\x0b\x32!.istio.mesh.v1alpha1.ConfigSourceR\rconfigSources\x12\x44\n\x10\x65nable_auto_mtls\x18+ \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x0e\x65nableAutoMtls\x12!\n\x0ctrust_domain\x18\x1a \x01(\tR\x0btrustDomain\x12\x30\n\x14trust_domain_aliases\x18. \x03(\tR\x12trustDomainAliases\x12X\n\x0f\x63\x61_certificates\x18: \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.CertificateDataR\x0e\x63\x61\x43\x65rtificates\x12\x39\n\x19\x64\x65\x66\x61ult_service_export_to\x18\x1f \x03(\tR\x16\x64\x65\x66\x61ultServiceExportTo\x12H\n!default_virtual_service_export_to\x18 \x03(\tR\x1d\x64\x65\x66\x61ultVirtualServiceExportTo\x12J\n\"default_destination_rule_export_to\x18! \x03(\tR\x1e\x64\x65\x66\x61ultDestinationRuleExportTo\x12%\n\x0eroot_namespace\x18\" \x01(\tR\rrootNamespace\x12\x66\n\x13locality_lb_setting\x18# \x01(\x0b\x32\x36.istio.networking.v1alpha3.LocalityLoadBalancerSettingR\x11localityLbSetting\x12\x43\n\x10\x64ns_refresh_rate\x18$ \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x64nsRefreshRate\x12[\n\x11h2_upgrade_policy\x18) \x01(\x0e\x32/.istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicyR\x0fh2UpgradePolicy\x12\x39\n\x19inbound_cluster_stat_name\x18, \x01(\tR\x16inboundClusterStatName\x12;\n\x1aoutbound_cluster_stat_name\x18- \x01(\tR\x17outboundClusterStatName\x12\x44\n\x0c\x63\x65rtificates\x18/ \x03(\x0b\x32 .istio.mesh.v1alpha1.CertificateR\x0c\x63\x65rtificates\x12Q\n\rthrift_config\x18\x31 \x01(\x0b\x32,.istio.mesh.v1alpha1.MeshConfig.ThriftConfigR\x0cthriftConfig\x12Z\n\x10service_settings\x18\x32 \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12R\n\x17\x65nable_prometheus_merge\x18\x33 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x15\x65nablePrometheusMerge\x12[\n\x1cverify_certificate_at_client\x18\x36 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x19verifyCertificateAtClient\x12\x32\n\x02\x63\x61\x18\x37 \x01(\x0b\x32\".istio.mesh.v1alpha1.MeshConfig.CAR\x02\x63\x61\x12\x62\n\x13\x65xtension_providers\x18\x39 \x03(\x0b\x32\x31.istio.mesh.v1alpha1.MeshConfig.ExtensionProviderR\x12\x65xtensionProviders\x12]\n\x11\x64\x65\x66\x61ult_providers\x18< \x01(\x0b\x32\x30.istio.mesh.v1alpha1.MeshConfig.DefaultProvidersR\x10\x64\x65\x66\x61ultProviders\x12\x64\n\x13\x64iscovery_selectors\x18; \x03(\x0b\x32\x33.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x12\x64iscoverySelectors\x1a\xad\x01\n\x15OutboundTrafficPolicy\x12N\n\x04mode\x18\x01 \x01(\x0e\x32:.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.ModeR\x04mode\"D\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01\"\x04\x08\x02\x10\x02*\x14VIRTUAL_SERVICE_ONLY\x1a\x8c\x01\n\x0f\x43\x65rtificateData\x12\x12\n\x03pem\x18\x01 \x01(\tH\x00R\x03pem\x12,\n\x11spiffe_bundle_url\x18\x02 \x01(\tH\x00R\x0fspiffeBundleUrl\x12#\n\rtrust_domains\x18\x03 \x03(\tR\x0ctrustDomainsB\x12\n\x10\x63\x65rtificate_data\x1a}\n\x0cThriftConfig\x12$\n\x0erate_limit_url\x18\x01 \x01(\tR\x0crateLimitUrl\x12G\n\x12rate_limit_timeout\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x10rateLimitTimeout\x1a\xae\x01\n\x0fServiceSettings\x12T\n\x08settings\x18\x01 \x01(\x0b\x32\x38.istio.mesh.v1alpha1.MeshConfig.ServiceSettings.SettingsR\x08settings\x12\x14\n\x05hosts\x18\x02 \x03(\tR\x05hosts\x1a/\n\x08Settings\x12#\n\rcluster_local\x18\x01 \x01(\x08R\x0c\x63lusterLocal\x1a\xd4\x01\n\x02\x43\x41\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12\x42\n\x0frequest_timeout\x18\x03 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0erequestTimeout\x12\x1f\n\x0bistiod_side\x18\x04 \x01(\x08R\nistiodSide\x1a\xa0\x13\n\x11\x45xtensionProvider\x12\x12\n\x04name\x18\x01 \x01(\tR\x04name\x12\x8b\x01\n\x14\x65nvoy_ext_authz_http\x18\x02 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProviderH\x00R\x11\x65nvoyExtAuthzHttp\x12\x8b\x01\n\x14\x65nvoy_ext_authz_grpc\x18\x03 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProviderH\x00R\x11\x65nvoyExtAuthzGrpc\x12\x61\n\x06zipkin\x18\x04 \x01(\x0b\x32G.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProviderH\x00R\x06zipkin\x12j\n\tlightstep\x18\x05 \x01(\x0b\x32J.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProviderH\x00R\tlightstep\x12\x64\n\x07\x64\x61tadog\x18\x06 \x01(\x0b\x32H.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProviderH\x00R\x07\x64\x61tadog\x12i\n\x0bstackdriver\x18\x07 \x01(\x0b\x32\x45.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProviderH\x00R\x0bstackdriver\x12r\n\nopencensus\x18\x08 \x01(\x0b\x32P.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProviderH\x00R\nopencensus\x1a\xf7\x02\n&EnvoyExternalAuthorizationHttpProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1f\n\x0bpath_prefix\x18\x03 \x01(\tR\npathPrefix\x12\x1b\n\tfail_open\x18\x04 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x05 \x01(\tR\rstatusOnError\x12\x37\n\x18include_headers_in_check\x18\x06 \x03(\tR\x15includeHeadersInCheck\x12>\n\x1cheaders_to_upstream_on_allow\x18\x07 \x03(\tR\x18headersToUpstreamOnAllow\x12@\n\x1dheaders_to_downstream_on_deny\x18\x08 \x03(\tR\x19headersToDownstreamOnDeny\x1a\x9b\x01\n&EnvoyExternalAuthorizationGrpcProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x1b\n\tfail_open\x18\x03 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x04 \x01(\tR\rstatusOnError\x1ak\n\x15ZipkinTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12$\n\x0emax_tag_length\x18\x03 \x01(\rR\x0cmaxTagLength\x1a\x91\x01\n\x18LightstepTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12!\n\x0c\x61\x63\x63\x65ss_token\x18\x03 \x01(\tR\x0b\x61\x63\x63\x65ssToken\x12$\n\x0emax_tag_length\x18\x04 \x01(\rR\x0cmaxTagLength\x1al\n\x16\x44\x61tadogTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12$\n\x0emax_tag_length\x18\x03 \x01(\rR\x0cmaxTagLength\x1a\xdc\x02\n\x13StackdriverProvider\x12\x14\n\x05\x64\x65\x62ug\x18\x01 \x01(\x08R\x05\x64\x65\x62ug\x12T\n\x18max_number_of_attributes\x18\x02 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x15maxNumberOfAttributes\x12V\n\x19max_number_of_annotations\x18\x03 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x16maxNumberOfAnnotations\x12[\n\x1cmax_number_of_message_events\x18\x04 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x18maxNumberOfMessageEvents\x12$\n\x0emax_tag_length\x18\x05 \x01(\rR\x0cmaxTagLength\x1a\xd4\x02\n\x1eOpenCensusAgentTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12w\n\x07\x63ontext\x18\x03 \x03(\x0e\x32].istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContextR\x07\x63ontext\x12$\n\x0emax_tag_length\x18\x04 \x01(\rR\x0cmaxTagLength\"e\n\x0cTraceContext\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x15\n\x11W3C_TRACE_CONTEXT\x10\x01\x12\x0c\n\x08GRPC_BIN\x10\x02\x12\x17\n\x13\x43LOUD_TRACE_CONTEXT\x10\x03\x12\x06\n\x02\x42\x33\x10\x04\x42\n\n\x08provider\x1a,\n\x10\x44\x65\x66\x61ultProviders\x12\x18\n\x07tracing\x18\x01 \x01(\tR\x07tracing\"J\n\x15IngressControllerMode\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x07\n\x03OFF\x10\x01\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x02\x12\n\n\x06STRICT\x10\x03\"&\n\nAuthPolicy\x12\x08\n\x04NONE\x10\x00\x12\x0e\n\nMUTUAL_TLS\x10\x01\"\'\n\x11\x41\x63\x63\x65ssLogEncoding\x12\x08\n\x04TEXT\x10\x00\x12\x08\n\x04JSON\x10\x01\"2\n\x0fH2UpgradePolicy\x12\x12\n\x0e\x44O_NOT_UPGRADE\x10\x00\x12\x0b\n\x07UPGRADE\x10\x01J\x04\x08\x01\x10\x02J\x04\x08\x02\x10\x03J\x04\x08\x03\x10\x04J\x04\x08\x30\x10\x31J\x04\x08\x19\x10\x1aJ\x04\x08\x1e\x10\x1fJ\x04\x08\n\x10\x0bJ\x04\x08\x0b\x10\x0cJ\x04\x08\x0f\x10\x10J\x04\x08\x10\x10\x11J\x04\x08\x12\x10\x13J\x04\x08\x13\x10\x14J\x04\x08\x14\x10\x15J\x04\x08\x15\x10\x16J\x04\x08\x17\x10\x18J\x04\x08\x1d\x10\x1eJ\x04\x08\x35\x10\x36J\x04\x08%\x10&J\x04\x08&\x10\'J\x04\x08\'\x10(R\x12mixer_check_serverR\x13mixer_report_serverR\x15\x64isable_policy_checksR\x1a\x64isable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\x0b\x61uth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1f\x65nable_client_side_policy_checkR\x0csds_uds_pathR\x11sds_refresh_delayR\x16\x65nable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14\x64isable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_time\"\xcb\x01\n\x0c\x43onfigSource\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12P\n\x14subscribed_resources\x18\x03 \x03(\x0e\x32\x1d.istio.mesh.v1alpha1.ResourceR\x13subscribedResources\"K\n\x0b\x43\x65rtificate\x12\x1f\n\x0bsecret_name\x18\x01 \x01(\tR\nsecretName\x12\x1b\n\tdns_names\x18\x02 \x03(\tR\x08\x64nsNames* \n\x08Resource\x12\x14\n\x10SERVICE_REGISTRY\x10\x00\x42\x1cZ\x1aistio.io/api/mesh/v1alpha1b\x06proto3') + serialized_pb=_b('\n\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a\x34k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto\"\xe0=\n\nMeshConfig\x12*\n\x11proxy_listen_port\x18\x04 \x01(\x05R\x0fproxyListenPort\x12&\n\x0fproxy_http_port\x18\x05 \x01(\x05R\rproxyHttpPort\x12\x42\n\x0f\x63onnect_timeout\x18\x06 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x63onnectTimeout\x12W\n\x1aprotocol_detection_timeout\x18* \x01(\x0b\x32\x19.google.protobuf.DurationR\x18protocolDetectionTimeout\x12o\n\rtcp_keepalive\x18\x1c \x01(\x0b\x32J.istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveR\x0ctcpKeepalive\x12#\n\ringress_class\x18\x07 \x01(\tR\x0cingressClass\x12\'\n\x0fingress_service\x18\x08 \x01(\tR\x0eingressService\x12m\n\x17ingress_controller_mode\x18\t \x01(\x0e\x32\x35.istio.mesh.v1alpha1.MeshConfig.IngressControllerModeR\x15ingressControllerMode\x12)\n\x10ingress_selector\x18\x34 \x01(\tR\x0fingressSelector\x12%\n\x0e\x65nable_tracing\x18\x0c \x01(\x08R\renableTracing\x12&\n\x0f\x61\x63\x63\x65ss_log_file\x18\r \x01(\tR\raccessLogFile\x12*\n\x11\x61\x63\x63\x65ss_log_format\x18\x18 \x01(\tR\x0f\x61\x63\x63\x65ssLogFormat\x12\x61\n\x13\x61\x63\x63\x65ss_log_encoding\x18\x1b \x01(\x0e\x32\x31.istio.mesh.v1alpha1.MeshConfig.AccessLogEncodingR\x11\x61\x63\x63\x65ssLogEncoding\x12\x44\n\x1f\x65nable_envoy_access_log_service\x18( \x01(\x08R\x1b\x65nableEnvoyAccessLogService\x12;\n\x1a\x64isable_envoy_listener_log\x18\x38 \x01(\x08R\x17\x64isableEnvoyListenerLog\x12G\n\x0e\x64\x65\x66\x61ult_config\x18\x0e \x01(\x0b\x32 .istio.mesh.v1alpha1.ProxyConfigR\rdefaultConfig\x12m\n\x17outbound_traffic_policy\x18\x11 \x01(\x0b\x32\x35.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicyR\x15outboundTrafficPolicy\x12H\n\x0e\x63onfig_sources\x18\x16 \x03(\x0b\x32!.istio.mesh.v1alpha1.ConfigSourceR\rconfigSources\x12\x44\n\x10\x65nable_auto_mtls\x18+ \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x0e\x65nableAutoMtls\x12!\n\x0ctrust_domain\x18\x1a \x01(\tR\x0btrustDomain\x12\x30\n\x14trust_domain_aliases\x18. \x03(\tR\x12trustDomainAliases\x12X\n\x0f\x63\x61_certificates\x18: \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.CertificateDataR\x0e\x63\x61\x43\x65rtificates\x12\x39\n\x19\x64\x65\x66\x61ult_service_export_to\x18\x1f \x03(\tR\x16\x64\x65\x66\x61ultServiceExportTo\x12H\n!default_virtual_service_export_to\x18 \x03(\tR\x1d\x64\x65\x66\x61ultVirtualServiceExportTo\x12J\n\"default_destination_rule_export_to\x18! \x03(\tR\x1e\x64\x65\x66\x61ultDestinationRuleExportTo\x12%\n\x0eroot_namespace\x18\" \x01(\tR\rrootNamespace\x12\x66\n\x13locality_lb_setting\x18# \x01(\x0b\x32\x36.istio.networking.v1alpha3.LocalityLoadBalancerSettingR\x11localityLbSetting\x12\x43\n\x10\x64ns_refresh_rate\x18$ \x01(\x0b\x32\x19.google.protobuf.DurationR\x0e\x64nsRefreshRate\x12[\n\x11h2_upgrade_policy\x18) \x01(\x0e\x32/.istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicyR\x0fh2UpgradePolicy\x12\x39\n\x19inbound_cluster_stat_name\x18, \x01(\tR\x16inboundClusterStatName\x12;\n\x1aoutbound_cluster_stat_name\x18- \x01(\tR\x17outboundClusterStatName\x12\x44\n\x0c\x63\x65rtificates\x18/ \x03(\x0b\x32 .istio.mesh.v1alpha1.CertificateR\x0c\x63\x65rtificates\x12Q\n\rthrift_config\x18\x31 \x01(\x0b\x32,.istio.mesh.v1alpha1.MeshConfig.ThriftConfigR\x0cthriftConfig\x12Z\n\x10service_settings\x18\x32 \x03(\x0b\x32/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12R\n\x17\x65nable_prometheus_merge\x18\x33 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x15\x65nablePrometheusMerge\x12[\n\x1cverify_certificate_at_client\x18\x36 \x01(\x0b\x32\x1a.google.protobuf.BoolValueR\x19verifyCertificateAtClient\x12\x32\n\x02\x63\x61\x18\x37 \x01(\x0b\x32\".istio.mesh.v1alpha1.MeshConfig.CAR\x02\x63\x61\x12\x62\n\x13\x65xtension_providers\x18\x39 \x03(\x0b\x32\x31.istio.mesh.v1alpha1.MeshConfig.ExtensionProviderR\x12\x65xtensionProviders\x12]\n\x11\x64\x65\x66\x61ult_providers\x18< \x01(\x0b\x32\x30.istio.mesh.v1alpha1.MeshConfig.DefaultProvidersR\x10\x64\x65\x66\x61ultProviders\x12\x64\n\x13\x64iscovery_selectors\x18; \x03(\x0b\x32\x33.k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorR\x12\x64iscoverySelectors\x1a\xad\x01\n\x15OutboundTrafficPolicy\x12N\n\x04mode\x18\x01 \x01(\x0e\x32:.istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.ModeR\x04mode\"D\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01\"\x04\x08\x02\x10\x02*\x14VIRTUAL_SERVICE_ONLY\x1a\x8c\x01\n\x0f\x43\x65rtificateData\x12\x12\n\x03pem\x18\x01 \x01(\tH\x00R\x03pem\x12,\n\x11spiffe_bundle_url\x18\x02 \x01(\tH\x00R\x0fspiffeBundleUrl\x12#\n\rtrust_domains\x18\x03 \x03(\tR\x0ctrustDomainsB\x12\n\x10\x63\x65rtificate_data\x1a}\n\x0cThriftConfig\x12$\n\x0erate_limit_url\x18\x01 \x01(\tR\x0crateLimitUrl\x12G\n\x12rate_limit_timeout\x18\x02 \x01(\x0b\x32\x19.google.protobuf.DurationR\x10rateLimitTimeout\x1a\xae\x01\n\x0fServiceSettings\x12T\n\x08settings\x18\x01 \x01(\x0b\x32\x38.istio.mesh.v1alpha1.MeshConfig.ServiceSettings.SettingsR\x08settings\x12\x14\n\x05hosts\x18\x02 \x03(\tR\x05hosts\x1a/\n\x08Settings\x12#\n\rcluster_local\x18\x01 \x01(\x08R\x0c\x63lusterLocal\x1a\xd4\x01\n\x02\x43\x41\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12\x42\n\x0frequest_timeout\x18\x03 \x01(\x0b\x32\x19.google.protobuf.DurationR\x0erequestTimeout\x12\x1f\n\x0bistiod_side\x18\x04 \x01(\x08R\nistiodSide\x1a\xda\x1a\n\x11\x45xtensionProvider\x12\x12\n\x04name\x18\x01 \x01(\tR\x04name\x12\x8b\x01\n\x14\x65nvoy_ext_authz_http\x18\x02 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProviderH\x00R\x11\x65nvoyExtAuthzHttp\x12\x8b\x01\n\x14\x65nvoy_ext_authz_grpc\x18\x03 \x01(\x0b\x32X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProviderH\x00R\x11\x65nvoyExtAuthzGrpc\x12\x61\n\x06zipkin\x18\x04 \x01(\x0b\x32G.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProviderH\x00R\x06zipkin\x12j\n\tlightstep\x18\x05 \x01(\x0b\x32J.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProviderH\x00R\tlightstep\x12\x64\n\x07\x64\x61tadog\x18\x06 \x01(\x0b\x32H.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProviderH\x00R\x07\x64\x61tadog\x12i\n\x0bstackdriver\x18\x07 \x01(\x0b\x32\x45.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProviderH\x00R\x0bstackdriver\x12r\n\nopencensus\x18\x08 \x01(\x0b\x32P.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProviderH\x00R\nopencensus\x1a\xab\x01\n%EnvoyExternalAuthorizationRequestBody\x12*\n\x11max_request_bytes\x18\x01 \x01(\rR\x0fmaxRequestBytes\x12\x32\n\x15\x61llow_partial_message\x18\x02 \x01(\x08R\x13\x61llowPartialMessage\x12\"\n\rpack_as_bytes\x18\x03 \x01(\x08R\x0bpackAsBytes\x1a\xb2\x07\n&EnvoyExternalAuthorizationHttpProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x33\n\x07timeout\x18\t \x01(\x0b\x32\x19.google.protobuf.DurationR\x07timeout\x12\x1f\n\x0bpath_prefix\x18\x03 \x01(\tR\npathPrefix\x12\x1b\n\tfail_open\x18\x04 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x05 \x01(\tR\rstatusOnError\x12\x37\n\x18include_headers_in_check\x18\x06 \x03(\tR\x15includeHeadersInCheck\x12\x46\n include_request_headers_in_check\x18\n \x03(\tR\x1cincludeRequestHeadersInCheck\x12\xcb\x01\n#include_additional_headers_in_check\x18\x0b \x03(\x0b\x32}.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.IncludeAdditionalHeadersInCheckEntryR\x1fincludeAdditionalHeadersInCheck\x12\x99\x01\n\x1dinclude_request_body_in_check\x18\x0c \x01(\x0b\x32W.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBodyR\x19includeRequestBodyInCheck\x12>\n\x1cheaders_to_upstream_on_allow\x18\x07 \x03(\tR\x18headersToUpstreamOnAllow\x12@\n\x1dheaders_to_downstream_on_deny\x18\x08 \x03(\tR\x19headersToDownstreamOnDeny\x1aR\n$IncludeAdditionalHeadersInCheckEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n\x05value\x18\x02 \x01(\tR\x05value:\x02\x38\x01\x1a\xec\x02\n&EnvoyExternalAuthorizationGrpcProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12\x33\n\x07timeout\x18\x05 \x01(\x0b\x32\x19.google.protobuf.DurationR\x07timeout\x12\x1b\n\tfail_open\x18\x03 \x01(\x08R\x08\x66\x61ilOpen\x12&\n\x0fstatus_on_error\x18\x04 \x01(\tR\rstatusOnError\x12\x99\x01\n\x1dinclude_request_body_in_check\x18\x06 \x01(\x0b\x32W.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBodyR\x19includeRequestBodyInCheck\x1ak\n\x15ZipkinTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12$\n\x0emax_tag_length\x18\x03 \x01(\rR\x0cmaxTagLength\x1a\x91\x01\n\x18LightstepTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12!\n\x0c\x61\x63\x63\x65ss_token\x18\x03 \x01(\tR\x0b\x61\x63\x63\x65ssToken\x12$\n\x0emax_tag_length\x18\x04 \x01(\rR\x0cmaxTagLength\x1al\n\x16\x44\x61tadogTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12$\n\x0emax_tag_length\x18\x03 \x01(\rR\x0cmaxTagLength\x1a\xdc\x02\n\x13StackdriverProvider\x12\x14\n\x05\x64\x65\x62ug\x18\x01 \x01(\x08R\x05\x64\x65\x62ug\x12T\n\x18max_number_of_attributes\x18\x02 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x15maxNumberOfAttributes\x12V\n\x19max_number_of_annotations\x18\x03 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x16maxNumberOfAnnotations\x12[\n\x1cmax_number_of_message_events\x18\x04 \x01(\x0b\x32\x1b.google.protobuf.Int64ValueR\x18maxNumberOfMessageEvents\x12$\n\x0emax_tag_length\x18\x05 \x01(\rR\x0cmaxTagLength\x1a\xd4\x02\n\x1eOpenCensusAgentTracingProvider\x12\x18\n\x07service\x18\x01 \x01(\tR\x07service\x12\x12\n\x04port\x18\x02 \x01(\rR\x04port\x12w\n\x07\x63ontext\x18\x03 \x03(\x0e\x32].istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContextR\x07\x63ontext\x12$\n\x0emax_tag_length\x18\x04 \x01(\rR\x0cmaxTagLength\"e\n\x0cTraceContext\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x15\n\x11W3C_TRACE_CONTEXT\x10\x01\x12\x0c\n\x08GRPC_BIN\x10\x02\x12\x17\n\x13\x43LOUD_TRACE_CONTEXT\x10\x03\x12\x06\n\x02\x42\x33\x10\x04\x42\n\n\x08provider\x1a,\n\x10\x44\x65\x66\x61ultProviders\x12\x18\n\x07tracing\x18\x01 \x01(\tR\x07tracing\"J\n\x15IngressControllerMode\x12\x0f\n\x0bUNSPECIFIED\x10\x00\x12\x07\n\x03OFF\x10\x01\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x02\x12\n\n\x06STRICT\x10\x03\"&\n\nAuthPolicy\x12\x08\n\x04NONE\x10\x00\x12\x0e\n\nMUTUAL_TLS\x10\x01\"\'\n\x11\x41\x63\x63\x65ssLogEncoding\x12\x08\n\x04TEXT\x10\x00\x12\x08\n\x04JSON\x10\x01\"2\n\x0fH2UpgradePolicy\x12\x12\n\x0e\x44O_NOT_UPGRADE\x10\x00\x12\x0b\n\x07UPGRADE\x10\x01J\x04\x08\x01\x10\x02J\x04\x08\x02\x10\x03J\x04\x08\x03\x10\x04J\x04\x08\x30\x10\x31J\x04\x08\x19\x10\x1aJ\x04\x08\x1e\x10\x1fJ\x04\x08\n\x10\x0bJ\x04\x08\x0b\x10\x0cJ\x04\x08\x0f\x10\x10J\x04\x08\x10\x10\x11J\x04\x08\x12\x10\x13J\x04\x08\x13\x10\x14J\x04\x08\x14\x10\x15J\x04\x08\x15\x10\x16J\x04\x08\x17\x10\x18J\x04\x08\x1d\x10\x1eJ\x04\x08\x35\x10\x36J\x04\x08%\x10&J\x04\x08&\x10\'J\x04\x08\'\x10(R\x12mixer_check_serverR\x13mixer_report_serverR\x15\x64isable_policy_checksR\x1a\x64isable_mixer_http_reportsR\x16policy_check_fail_openR%sidecar_to_telemetry_session_affinityR\x0b\x61uth_policyR\x11rds_refresh_delayR\rmixer_addressR\x1f\x65nable_client_side_policy_checkR\x0csds_uds_pathR\x11sds_refresh_delayR\x16\x65nable_sds_token_mountR\x12sds_use_k8s_sa_jwtR\x1atermination_drain_durationR\x14\x64isable_report_batchR\x18report_batch_max_entriesR\x15report_batch_max_time\"\xcb\x01\n\x0c\x43onfigSource\x12\x18\n\x07\x61\x64\x64ress\x18\x01 \x01(\tR\x07\x61\x64\x64ress\x12O\n\x0ctls_settings\x18\x02 \x01(\x0b\x32,.istio.networking.v1alpha3.ClientTLSSettingsR\x0btlsSettings\x12P\n\x14subscribed_resources\x18\x03 \x03(\x0e\x32\x1d.istio.mesh.v1alpha1.ResourceR\x13subscribedResources\"K\n\x0b\x43\x65rtificate\x12\x1f\n\x0bsecret_name\x18\x01 \x01(\tR\nsecretName\x12\x1b\n\tdns_names\x18\x02 \x03(\tR\x08\x64nsNames* \n\x08Resource\x12\x14\n\x10SERVICE_REGISTRY\x10\x00\x42\x1cZ\x1aistio.io/api/mesh/v1alpha1b\x06proto3') , dependencies=[google_dot_protobuf_dot_duration__pb2.DESCRIPTOR,google_dot_protobuf_dot_wrappers__pb2.DESCRIPTOR,mesh_dot_v1alpha1_dot_proxy__pb2.DESCRIPTOR,networking_dot_v1alpha3_dot_destination__rule__pb2.DESCRIPTOR,k8s_dot_io_dot_apimachinery_dot_pkg_dot_apis_dot_meta_dot_v1_dot_generated__pb2.DESCRIPTOR,]) @@ -43,8 +43,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=7476, - serialized_end=7508, + serialized_start=8430, + serialized_end=8462, ) _sym_db.RegisterEnumDescriptor(_RESOURCE) @@ -103,8 +103,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6292, - serialized_end=6393, + serialized_start=7246, + serialized_end=7347, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_EXTENSIONPROVIDER_OPENCENSUSAGENTTRACINGPROVIDER_TRACECONTEXT) @@ -133,8 +133,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6453, - serialized_end=6527, + serialized_start=7407, + serialized_end=7481, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_INGRESSCONTROLLERMODE) @@ -155,8 +155,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6529, - serialized_end=6567, + serialized_start=7483, + serialized_end=7521, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_AUTHPOLICY) @@ -177,8 +177,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6569, - serialized_end=6608, + serialized_start=7523, + serialized_end=7562, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_ACCESSLOGENCODING) @@ -199,8 +199,8 @@ ], containing_type=None, serialized_options=None, - serialized_start=6610, - serialized_end=6660, + serialized_start=7564, + serialized_end=7614, ) _sym_db.RegisterEnumDescriptor(_MESHCONFIG_H2UPGRADEPOLICY) @@ -438,6 +438,87 @@ serialized_end=3938, ) +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONREQUESTBODY = _descriptor.Descriptor( + name='EnvoyExternalAuthorizationRequestBody', + full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody', + filename=None, + file=DESCRIPTOR, + containing_type=None, + fields=[ + _descriptor.FieldDescriptor( + name='max_request_bytes', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody.max_request_bytes', index=0, + number=1, type=13, cpp_type=3, label=1, + has_default_value=False, default_value=0, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='maxRequestBytes', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='allow_partial_message', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody.allow_partial_message', index=1, + number=2, type=8, cpp_type=7, label=1, + has_default_value=False, default_value=False, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='allowPartialMessage', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='pack_as_bytes', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody.pack_as_bytes', index=2, + number=3, type=8, cpp_type=7, label=1, + has_default_value=False, default_value=False, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='packAsBytes', file=DESCRIPTOR), + ], + extensions=[ + ], + nested_types=[], + enum_types=[ + ], + serialized_options=None, + is_extendable=False, + syntax='proto3', + extension_ranges=[], + oneofs=[ + ], + serialized_start=4799, + serialized_end=4970, +) + +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER_INCLUDEADDITIONALHEADERSINCHECKENTRY = _descriptor.Descriptor( + name='IncludeAdditionalHeadersInCheckEntry', + full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.IncludeAdditionalHeadersInCheckEntry', + filename=None, + file=DESCRIPTOR, + containing_type=None, + fields=[ + _descriptor.FieldDescriptor( + name='key', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.IncludeAdditionalHeadersInCheckEntry.key', index=0, + number=1, type=9, cpp_type=9, label=1, + has_default_value=False, default_value=_b("").decode('utf-8'), + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='key', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='value', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.IncludeAdditionalHeadersInCheckEntry.value', index=1, + number=2, type=9, cpp_type=9, label=1, + has_default_value=False, default_value=_b("").decode('utf-8'), + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='value', file=DESCRIPTOR), + ], + extensions=[ + ], + nested_types=[], + enum_types=[ + ], + serialized_options=_b('8\001'), + is_extendable=False, + syntax='proto3', + extension_ranges=[], + oneofs=[ + ], + serialized_start=5837, + serialized_end=5919, +) + _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER = _descriptor.Descriptor( name='EnvoyExternalAuthorizationHttpProvider', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider', @@ -460,42 +541,70 @@ is_extension=False, extension_scope=None, serialized_options=None, json_name='port', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='path_prefix', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.path_prefix', index=2, + name='timeout', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.timeout', index=2, + number=9, type=11, cpp_type=10, label=1, + has_default_value=False, default_value=None, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='timeout', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='path_prefix', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.path_prefix', index=3, number=3, type=9, cpp_type=9, label=1, has_default_value=False, default_value=_b("").decode('utf-8'), message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='pathPrefix', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='fail_open', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.fail_open', index=3, + name='fail_open', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.fail_open', index=4, number=4, type=8, cpp_type=7, label=1, has_default_value=False, default_value=False, message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='failOpen', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='status_on_error', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.status_on_error', index=4, + name='status_on_error', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.status_on_error', index=5, number=5, type=9, cpp_type=9, label=1, has_default_value=False, default_value=_b("").decode('utf-8'), message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='statusOnError', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='include_headers_in_check', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.include_headers_in_check', index=5, + name='include_headers_in_check', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.include_headers_in_check', index=6, number=6, type=9, cpp_type=9, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='includeHeadersInCheck', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='headers_to_upstream_on_allow', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.headers_to_upstream_on_allow', index=6, + name='include_request_headers_in_check', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.include_request_headers_in_check', index=7, + number=10, type=9, cpp_type=9, label=3, + has_default_value=False, default_value=[], + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='includeRequestHeadersInCheck', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='include_additional_headers_in_check', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.include_additional_headers_in_check', index=8, + number=11, type=11, cpp_type=10, label=3, + has_default_value=False, default_value=[], + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='includeAdditionalHeadersInCheck', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='include_request_body_in_check', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.include_request_body_in_check', index=9, + number=12, type=11, cpp_type=10, label=1, + has_default_value=False, default_value=None, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='includeRequestBodyInCheck', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='headers_to_upstream_on_allow', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.headers_to_upstream_on_allow', index=10, number=7, type=9, cpp_type=9, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='headersToUpstreamOnAllow', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='headers_to_downstream_on_deny', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.headers_to_downstream_on_deny', index=7, + name='headers_to_downstream_on_deny', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.headers_to_downstream_on_deny', index=11, number=8, type=9, cpp_type=9, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, @@ -504,7 +613,7 @@ ], extensions=[ ], - nested_types=[], + nested_types=[_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER_INCLUDEADDITIONALHEADERSINCHECKENTRY, ], enum_types=[ ], serialized_options=None, @@ -513,8 +622,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=4799, - serialized_end=5174, + serialized_start=4973, + serialized_end=5919, ) _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONGRPCPROVIDER = _descriptor.Descriptor( @@ -539,19 +648,33 @@ is_extension=False, extension_scope=None, serialized_options=None, json_name='port', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='fail_open', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider.fail_open', index=2, + name='timeout', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider.timeout', index=2, + number=5, type=11, cpp_type=10, label=1, + has_default_value=False, default_value=None, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='timeout', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='fail_open', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider.fail_open', index=3, number=3, type=8, cpp_type=7, label=1, has_default_value=False, default_value=False, message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='failOpen', file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='status_on_error', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider.status_on_error', index=3, + name='status_on_error', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider.status_on_error', index=4, number=4, type=9, cpp_type=9, label=1, has_default_value=False, default_value=_b("").decode('utf-8'), message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, serialized_options=None, json_name='statusOnError', file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='include_request_body_in_check', full_name='istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider.include_request_body_in_check', index=5, + number=6, type=11, cpp_type=10, label=1, + has_default_value=False, default_value=None, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, json_name='includeRequestBodyInCheck', file=DESCRIPTOR), ], extensions=[ ], @@ -564,8 +687,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5177, - serialized_end=5332, + serialized_start=5922, + serialized_end=6286, ) _MESHCONFIG_EXTENSIONPROVIDER_ZIPKINTRACINGPROVIDER = _descriptor.Descriptor( @@ -608,8 +731,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5334, - serialized_end=5441, + serialized_start=6288, + serialized_end=6395, ) _MESHCONFIG_EXTENSIONPROVIDER_LIGHTSTEPTRACINGPROVIDER = _descriptor.Descriptor( @@ -659,8 +782,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5444, - serialized_end=5589, + serialized_start=6398, + serialized_end=6543, ) _MESHCONFIG_EXTENSIONPROVIDER_DATADOGTRACINGPROVIDER = _descriptor.Descriptor( @@ -703,8 +826,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5591, - serialized_end=5699, + serialized_start=6545, + serialized_end=6653, ) _MESHCONFIG_EXTENSIONPROVIDER_STACKDRIVERPROVIDER = _descriptor.Descriptor( @@ -761,8 +884,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=5702, - serialized_end=6050, + serialized_start=6656, + serialized_end=7004, ) _MESHCONFIG_EXTENSIONPROVIDER_OPENCENSUSAGENTTRACINGPROVIDER = _descriptor.Descriptor( @@ -813,8 +936,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=6053, - serialized_end=6393, + serialized_start=7007, + serialized_end=7347, ) _MESHCONFIG_EXTENSIONPROVIDER = _descriptor.Descriptor( @@ -883,7 +1006,7 @@ ], extensions=[ ], - nested_types=[_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONGRPCPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_ZIPKINTRACINGPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_LIGHTSTEPTRACINGPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_DATADOGTRACINGPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_STACKDRIVERPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_OPENCENSUSAGENTTRACINGPROVIDER, ], + nested_types=[_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONREQUESTBODY, _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONGRPCPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_ZIPKINTRACINGPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_LIGHTSTEPTRACINGPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_DATADOGTRACINGPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_STACKDRIVERPROVIDER, _MESHCONFIG_EXTENSIONPROVIDER_OPENCENSUSAGENTTRACINGPROVIDER, ], enum_types=[ ], serialized_options=None, @@ -896,7 +1019,7 @@ index=0, containing_type=None, fields=[]), ], serialized_start=3941, - serialized_end=6405, + serialized_end=7359, ) _MESHCONFIG_DEFAULTPROVIDERS = _descriptor.Descriptor( @@ -925,8 +1048,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=6407, - serialized_end=6451, + serialized_start=7361, + serialized_end=7405, ) _MESHCONFIG = _descriptor.Descriptor( @@ -1233,7 +1356,7 @@ oneofs=[ ], serialized_start=241, - serialized_end=7191, + serialized_end=8145, ) @@ -1277,8 +1400,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=7194, - serialized_end=7397, + serialized_start=8148, + serialized_end=8351, ) @@ -1315,8 +1438,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=7399, - serialized_end=7474, + serialized_start=8353, + serialized_end=8428, ) _MESHCONFIG_OUTBOUNDTRAFFICPOLICY.fields_by_name['mode'].enum_type = _MESHCONFIG_OUTBOUNDTRAFFICPOLICY_MODE @@ -1337,7 +1460,14 @@ _MESHCONFIG_CA.fields_by_name['tls_settings'].message_type = networking_dot_v1alpha3_dot_destination__rule__pb2._CLIENTTLSSETTINGS _MESHCONFIG_CA.fields_by_name['request_timeout'].message_type = google_dot_protobuf_dot_duration__pb2._DURATION _MESHCONFIG_CA.containing_type = _MESHCONFIG +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONREQUESTBODY.containing_type = _MESHCONFIG_EXTENSIONPROVIDER +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER_INCLUDEADDITIONALHEADERSINCHECKENTRY.containing_type = _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER.fields_by_name['timeout'].message_type = google_dot_protobuf_dot_duration__pb2._DURATION +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER.fields_by_name['include_additional_headers_in_check'].message_type = _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER_INCLUDEADDITIONALHEADERSINCHECKENTRY +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER.fields_by_name['include_request_body_in_check'].message_type = _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONREQUESTBODY _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER.containing_type = _MESHCONFIG_EXTENSIONPROVIDER +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONGRPCPROVIDER.fields_by_name['timeout'].message_type = google_dot_protobuf_dot_duration__pb2._DURATION +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONGRPCPROVIDER.fields_by_name['include_request_body_in_check'].message_type = _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONREQUESTBODY _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONGRPCPROVIDER.containing_type = _MESHCONFIG_EXTENSIONPROVIDER _MESHCONFIG_EXTENSIONPROVIDER_ZIPKINTRACINGPROVIDER.containing_type = _MESHCONFIG_EXTENSIONPROVIDER _MESHCONFIG_EXTENSIONPROVIDER_LIGHTSTEPTRACINGPROVIDER.containing_type = _MESHCONFIG_EXTENSIONPROVIDER @@ -1459,7 +1589,21 @@ 'ExtensionProvider' : _reflection.GeneratedProtocolMessageType('ExtensionProvider', (_message.Message,), { + 'EnvoyExternalAuthorizationRequestBody' : _reflection.GeneratedProtocolMessageType('EnvoyExternalAuthorizationRequestBody', (_message.Message,), { + 'DESCRIPTOR' : _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONREQUESTBODY, + '__module__' : 'mesh.v1alpha1.config_pb2' + # @@protoc_insertion_point(class_scope:istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody) + }) + , + 'EnvoyExternalAuthorizationHttpProvider' : _reflection.GeneratedProtocolMessageType('EnvoyExternalAuthorizationHttpProvider', (_message.Message,), { + + 'IncludeAdditionalHeadersInCheckEntry' : _reflection.GeneratedProtocolMessageType('IncludeAdditionalHeadersInCheckEntry', (_message.Message,), { + 'DESCRIPTOR' : _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER_INCLUDEADDITIONALHEADERSINCHECKENTRY, + '__module__' : 'mesh.v1alpha1.config_pb2' + # @@protoc_insertion_point(class_scope:istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.IncludeAdditionalHeadersInCheckEntry) + }) + , 'DESCRIPTOR' : _MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER, '__module__' : 'mesh.v1alpha1.config_pb2' # @@protoc_insertion_point(class_scope:istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider) @@ -1531,7 +1675,9 @@ _sym_db.RegisterMessage(MeshConfig.ServiceSettings.Settings) _sym_db.RegisterMessage(MeshConfig.CA) _sym_db.RegisterMessage(MeshConfig.ExtensionProvider) +_sym_db.RegisterMessage(MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody) _sym_db.RegisterMessage(MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider) +_sym_db.RegisterMessage(MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider.IncludeAdditionalHeadersInCheckEntry) _sym_db.RegisterMessage(MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider) _sym_db.RegisterMessage(MeshConfig.ExtensionProvider.ZipkinTracingProvider) _sym_db.RegisterMessage(MeshConfig.ExtensionProvider.LightstepTracingProvider) @@ -1556,4 +1702,5 @@ DESCRIPTOR._options = None +_MESHCONFIG_EXTENSIONPROVIDER_ENVOYEXTERNALAUTHORIZATIONHTTPPROVIDER_INCLUDEADDITIONALHEADERSINCHECKENTRY._options = None # @@protoc_insertion_point(module_scope)