Skip to content

Commit fe48267

Browse files
authored
policy attachment: allow targetRefs (#3159)
* policy attachment: allow `targetRefs` Based on kubernetes-sigs/gateway-api#2966. Note that we do not HAVE to follow the GatewayAPI here; we can make our own decision. There is, however, a general desire to allow multiple for ergonomics. In this proposal, I hide `targetRef`, but the API will remain + be implemented forever. Implementation cost here is near zero, as we can easily translate it to a single `targetRefs`; we just hide from docs to push users toward the new ones. * codegen * Align documentation * consistency
1 parent 2410bbc commit fe48267

19 files changed

+1318
-964
lines changed

extensions/v1alpha1/wasm.pb.go

Lines changed: 135 additions & 113 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

extensions/v1alpha1/wasm.pb.html

Lines changed: 17 additions & 11 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

extensions/v1alpha1/wasm.proto

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -243,20 +243,30 @@ message WasmPlugin {
243243
// namespace, it will be applied to all applicable workloads in any
244244
// namespace.
245245
//
246-
// At most, only one of the selector or `targetRef` can be set for a given policy.
246+
// At most, only one of `selector` or `targetRefs` can be set for a given policy.
247247
istio.type.v1beta1.WorkloadSelector selector = 1;
248248

249-
// Optional. The `targetRef` specifies the gateway the policy should be
250-
// applied to. The targeted resource specified will determine which
251-
// workloads the WasmPlugin applies to. The targeted resource must be
252-
// a `Gateway` in the group `gateway.networking.k8s.io`. The gateway
253-
// must be in the same namespace as the policy.
254-
//
255-
// If the `targetRef` is not set, the policy is applied as defined by the selector.
256-
// At most, only one of the selector or `targetRef` can be set for a given policy.
257-
// Waypoint proxies will not respect selectors even if they match.
249+
// $hide_from_docs
258250
istio.type.v1beta1.PolicyTargetReference targetRef = 15;
259251

252+
// Optional. The targetRef specifies the gateway the policy should be
253+
// applied to. The targeted resource specified will determine which
254+
// workloads the policy applies to.
255+
//
256+
// Currently, the following resource attachment types are supported:
257+
// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
258+
//
259+
// If not set, the policy is applied as defined by the selector.
260+
// At most one of the selector and targetRefs can be set.
261+
//
262+
// NOTE: If you are using the `targetRefs` field in a multi-revision environment with Istio versions prior to 1.22,
263+
// it is highly recommended that you pin the policy to a revision running 1.22+ via the `istio.io/rev` label.
264+
// This is to prevent proxies connected to older control planes (that don't know about the `targetRefs` field)
265+
// from misinterpreting the policy as namespace-wide during the upgrade process.
266+
//
267+
// NOTE: Waypoint proxies are required to use this field for policies to apply; `selector` policies will be ignored.
268+
repeated istio.type.v1beta1.PolicyTargetReference targetRefs = 16;
269+
260270
// URL of a Wasm module or OCI container. If no scheme is present,
261271
// defaults to `oci://`, referencing an OCI image. Other valid schemes
262272
// are `file://` for referencing .wasm module files present locally

kubernetes/customresourcedefinitions.gen.yaml

Lines changed: 126 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)