From d41c2303d665a84eb52010284928c43ea9a97107 Mon Sep 17 00:00:00 2001 From: Craig Box Date: Thu, 9 May 2024 15:46:48 +1200 Subject: [PATCH 1/6] Update PeerAuthentication docs for mTLS --- security/v1beta1/peer_authentication.pb.go | 7 +++---- security/v1beta1/peer_authentication.pb.html | 6 ++---- security/v1beta1/peer_authentication.proto | 7 +++---- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/security/v1beta1/peer_authentication.pb.go b/security/v1beta1/peer_authentication.pb.go index 91340986ea3..9246aaf27cc 100644 --- a/security/v1beta1/peer_authentication.pb.go +++ b/security/v1beta1/peer_authentication.pb.go @@ -97,14 +97,13 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) { return file_security_v1beta1_peer_authentication_proto_rawDescGZIP(), []int{0, 0, 0} } -// {{< warning >}} -// Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient. -// {{< /warning >}} // PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. // +// Ambient mode implies mTLS, and so DISABLE mode is not supported. +// // Examples: // -// Policy to allow mTLS traffic for all workloads under namespace `foo`: +// Policy to require mTLS traffic for all workloads under namespace `foo`: // ```yaml // apiVersion: security.istio.io/v1 // kind: PeerAuthentication diff --git a/security/v1beta1/peer_authentication.pb.html b/security/v1beta1/peer_authentication.pb.html index 0c04a3643e4..c0857ba1a3e 100644 --- a/security/v1beta1/peer_authentication.pb.html +++ b/security/v1beta1/peer_authentication.pb.html @@ -10,10 +10,8 @@ ---

PeerAuthentication

-

{{< warning >}} -Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient. -{{< /warning >}} -PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.

+

PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.

+

Ambient mode implies mTLS, and so DISABLE mode is not supported.

Examples:

Policy to allow mTLS traffic for all workloads under namespace foo:

apiVersion: security.istio.io/v1
diff --git a/security/v1beta1/peer_authentication.proto b/security/v1beta1/peer_authentication.proto
index 08b370bc5f2..0478bbfda95 100644
--- a/security/v1beta1/peer_authentication.proto
+++ b/security/v1beta1/peer_authentication.proto
@@ -25,14 +25,13 @@ package istio.security.v1beta1;
 
 option go_package="istio.io/api/security/v1beta1";
 
-// {{< warning >}}
-// Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
-// {{< /warning >}}
 // PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
 //
+// Ambient mode implies mTLS, and so DISABLE mode is not supported.
+//
 // Examples:
 //
-// Policy to allow mTLS traffic for all workloads under namespace `foo`:
+// Policy to require mTLS traffic for all workloads under namespace `foo`:
 // ```yaml
 // apiVersion: security.istio.io/v1
 // kind: PeerAuthentication

From 5c3958ccd08b2dc1ffc1a08633343dbb57915260 Mon Sep 17 00:00:00 2001
From: Craig Box 
Date: Thu, 16 May 2024 14:12:37 +1200
Subject: [PATCH 2/6] update

---
 security/v1beta1/peer_authentication.pb.go   | 6 ++++--
 security/v1beta1/peer_authentication.pb.html | 5 +++--
 security/v1beta1/peer_authentication.proto   | 6 ++++--
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/security/v1beta1/peer_authentication.pb.go b/security/v1beta1/peer_authentication.pb.go
index 9246aaf27cc..b03f31cec48 100644
--- a/security/v1beta1/peer_authentication.pb.go
+++ b/security/v1beta1/peer_authentication.pb.go
@@ -97,9 +97,11 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
 	return file_security_v1beta1_peer_authentication_proto_rawDescGZIP(), []int{0, 0, 0}
 }
 
-// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
+// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
 //
-// Ambient mode implies mTLS, and so DISABLE mode is not supported.
+// In sidecar mode, PeerAuthentication determines whether or not mTLS is enabled, or required, for connections to an Envoy proxy sidecar.
+//
+// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent. (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.) Because of this, DISABLE mode is not supported.
 //
 // Examples:
 //
diff --git a/security/v1beta1/peer_authentication.pb.html b/security/v1beta1/peer_authentication.pb.html
index c0857ba1a3e..87cff867256 100644
--- a/security/v1beta1/peer_authentication.pb.html
+++ b/security/v1beta1/peer_authentication.pb.html
@@ -10,8 +10,9 @@
 ---
 
PeerAuthentication

 

-
PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.

-
Ambient mode implies mTLS, and so DISABLE mode is not supported.

+
PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.

+
In sidecar mode, PeerAuthentication determines whether or not mTLS is enabled, or required, for connections to an Envoy proxy sidecar.

+
In ambient mode, security is transparently enabled for a pod by the ztunnel node agent. (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.) Because of this, DISABLE mode is not supported.

 
Examples:

 
Policy to allow mTLS traffic for all workloads under namespace foo:

 
apiVersion: security.istio.io/v1
diff --git a/security/v1beta1/peer_authentication.proto b/security/v1beta1/peer_authentication.proto
index 0478bbfda95..79a2135b795 100644
--- a/security/v1beta1/peer_authentication.proto
+++ b/security/v1beta1/peer_authentication.proto
@@ -25,9 +25,11 @@ package istio.security.v1beta1;
 
 option go_package="istio.io/api/security/v1beta1";
 
-// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
+// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
 //
-// Ambient mode implies mTLS, and so DISABLE mode is not supported.
+// In sidecar mode, PeerAuthentication determines whether or not mTLS is enabled, or required, for connections to an Envoy proxy sidecar.
+//
+// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent. (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.) Because of this, DISABLE mode is not supported.
 //
 // Examples:
 //

From 60024df69c3f75e7e1aad3f5dcc8ac9d087c8144 Mon Sep 17 00:00:00 2001
From: Craig Box 
Date: Fri, 17 May 2024 12:14:06 +1200
Subject: [PATCH 3/6] update text

---
 security/v1beta1/peer_authentication.proto | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/security/v1beta1/peer_authentication.proto b/security/v1beta1/peer_authentication.proto
index 79a2135b795..04269e8be29 100644
--- a/security/v1beta1/peer_authentication.proto
+++ b/security/v1beta1/peer_authentication.proto
@@ -27,9 +27,13 @@ option go_package="istio.io/api/security/v1beta1";
 
 // PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
 //
-// In sidecar mode, PeerAuthentication determines whether or not mTLS is enabled, or required, for connections to an Envoy proxy sidecar.
+// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
+// for connections to an Envoy proxy sidecar.
 //
-// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent. (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.) Because of this, DISABLE mode is not supported.
+// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+// Because of this, `DISABLE` mode is not supported.
+// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
 //
 // Examples:
 //

From 2d83eebbac85b10ad65cd3e79d58457b4fd0a94d Mon Sep 17 00:00:00 2001
From: Craig Box 
Date: Fri, 17 May 2024 12:14:30 +1200
Subject: [PATCH 4/6] made gen

---
 security/v1beta1/peer_authentication.pb.go   | 8 ++++++--
 security/v1beta1/peer_authentication.pb.html | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/security/v1beta1/peer_authentication.pb.go b/security/v1beta1/peer_authentication.pb.go
index b03f31cec48..3042b659b3c 100644
--- a/security/v1beta1/peer_authentication.pb.go
+++ b/security/v1beta1/peer_authentication.pb.go
@@ -99,9 +99,13 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
 
 // PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
 //
-// In sidecar mode, PeerAuthentication determines whether or not mTLS is enabled, or required, for connections to an Envoy proxy sidecar.
+// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
+// for connections to an Envoy proxy sidecar.
 //
-// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent. (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.) Because of this, DISABLE mode is not supported.
+// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+// Because of this, `DISABLE` mode is not supported.
+// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
 //
 // Examples:
 //
diff --git a/security/v1beta1/peer_authentication.pb.html b/security/v1beta1/peer_authentication.pb.html
index 87cff867256..a7f28d32388 100644
--- a/security/v1beta1/peer_authentication.pb.html
+++ b/security/v1beta1/peer_authentication.pb.html
@@ -11,8 +11,12 @@
 
PeerAuthentication

 

 
PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.

-
In sidecar mode, PeerAuthentication determines whether or not mTLS is enabled, or required, for connections to an Envoy proxy sidecar.

-
In ambient mode, security is transparently enabled for a pod by the ztunnel node agent. (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.) Because of this, DISABLE mode is not supported.

+
In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
+for connections to an Envoy proxy sidecar.

+
In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+(Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+Because of this, DISABLE mode is not supported.
+STRICT mode is useful to ensure that connections that bypass the mesh are not possible.

 
Examples:

 
Policy to allow mTLS traffic for all workloads under namespace foo:

 
apiVersion: security.istio.io/v1

From 0f17807e231b30ae7727f1b64c36b1000d06e643 Mon Sep 17 00:00:00 2001
From: Craig Box 
Date: Tue, 21 May 2024 22:36:21 +1200
Subject: [PATCH 5/6] make gen

---
 security/v1beta1/peer_authentication.pb.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/v1beta1/peer_authentication.pb.html b/security/v1beta1/peer_authentication.pb.html
index a7f28d32388..7859bf03c7e 100644
--- a/security/v1beta1/peer_authentication.pb.html
+++ b/security/v1beta1/peer_authentication.pb.html
@@ -18,7 +18,7 @@ 
PeerAuthentication

 Because of this, DISABLE mode is not supported.
 STRICT mode is useful to ensure that connections that bypass the mesh are not possible.

 
Examples:

-
Policy to allow mTLS traffic for all workloads under namespace foo:

+
Policy to require mTLS traffic for all workloads under namespace foo:

 
apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:

From c50eb603754fa1c9378cf0eac319f04db699e2f4 Mon Sep 17 00:00:00 2001
From: Craig Box 
Date: Tue, 2 Jul 2024 12:39:10 +1200
Subject: [PATCH 6/6] fix gencheck

---
 security/v1/peer_authentication_alias.gen.go | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/security/v1/peer_authentication_alias.gen.go b/security/v1/peer_authentication_alias.gen.go
index 8591e45250f..6c570ac3694 100644
--- a/security/v1/peer_authentication_alias.gen.go
+++ b/security/v1/peer_authentication_alias.gen.go
@@ -3,14 +3,19 @@ package v1
 
 import "istio.io/api/security/v1beta1"
 
-// {{< warning >}}
-// Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
-// {{< /warning >}}
-// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
+// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
+//
+// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
+// for connections to an Envoy proxy sidecar.
+//
+// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+// Because of this, `DISABLE` mode is not supported.
+// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
 //
 // Examples:
 //
-// Policy to allow mTLS traffic for all workloads under namespace `foo`:
+// Policy to require mTLS traffic for all workloads under namespace `foo`:
 // ```yaml
 // apiVersion: security.istio.io/v1
 // kind: PeerAuthentication