Sync Gloo Mesh APIs. Destination Branch: gloo-mesh-v2.5.x

Author: soloio-bot

api/gloo.solo.io/admin/v2/root_trust_policy.proto

@@ -1,3 +1,54 @@
+// A RootTrustPolicy is used to designate the root of trust, including the trust domain and root
+// certificates used by one or more service meshes. With a RootTrustPolicy, you can set
+// set up an Istio root CA and use that root CA to automatically issue intermediate CA certificates
+// for all your workload clusters that make up your multicluster service mesh. Because all intermediate CA certificates are
+// derived from the same root, your workloads can securely talk to each other, even across cluster boundaries.
+// This approach is also referred to as federated trust.
+//
+// You have the option to fully or partially manage the Istio CA certificate lifecycle. The
+// option that is right for you depends on the type of environment that you have and the level
+// of control you want to have over the Istio CA certificate lifecycle.
+//
+// ## Examples
+//
+// The following example instructs {{% reuse "conrefs/snippets/policies/ov_fault_injection.md" %}} to 
+// create a self-signed root CA certificate that is valid for 730 days. 
+//
+// ```yaml
+// apiVersion: admin.gloo.solo.io/v2
+// kind: RootTrustPolicy
+// metadata:
+//  name: root-trust-policy
+//  namespace: gloo-mesh
+// spec:
+//   config:
+//     mgmtServerCa:
+//       generated:
+//         ttlDays: 730
+// ```
+//
+// To bring your own root CA certificate, store the root CA credentials in a Kubernetes secret. Then,
+// reference this secret in your RootTrustPolicy. 
+//
+// ```yaml
+// apiVersion: admin.gloo.solo.io/v2
+// kind: RootTrustPolicy
+// metadata:
+//   name: istio-ingressgateway
+//   namespace: gloo-mesh
+// spec:
+//   config:
+//     mgmtServerCa:
+//       secretRef:
+//         name: my-root-trust-cert
+//         namespace: gloo-mesh
+// ```
+//
+// {{% alert %}}
+// Creating a RootTrustPoliy resource triggers the renewal of Istio certificates.
+// If your service mesh uses sidecars, you must restart your applications
+// to apply the latest certificate.
+// {{% /alert %}}
 syntax = "proto3";
 
 package admin.gloo.solo.io;
@@ -14,8 +65,6 @@ option (extproto.equal_all) = true;
 option (extproto.hash_all) = true;
 option (extproto.clone_all) = true;
 
-// RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes.
-// A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).
 message RootTrustPolicySpec {
 
   // select the meshes where the root of trust will be applied.
@@ -52,10 +101,12 @@ message RootTrustPolicySpec {
       // Specify the source of the Root CA data which Gloo Mesh will use for the RootTrustPolicy.
       oneof ca_source {
 
-        // Generate a self-signed root certificate with the given options.
+        // Generate a self-signed root certificate with the given options. By default, the root CA
+        // is valid for 1 year.
         .tls.security.policy.gloo.solo.io.CommonCertOptions generated = 1;
 
-        // Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority.
+        // The name of a Kubernetes secret in the same namespace as the RootTrustPolicy that contains the
+        // root certificate authority.
         // Provided certificates must conform to a specified format, [documented here]({{< link path="/setup/prod/certs/relay/" >}}).
         .core.skv2.solo.io.ObjectRef secret_ref = 2;
 

api/gloo.solo.io/apimanagement/v2/api_doc.proto

@@ -4,7 +4,6 @@
 // The ApiDoc type is used to represent different types of API schema specification languages:
 // - OpenAPI
 // - gRPC
-// - GraphQL
 syntax = "proto3";
 
 package apimanagement.gloo.solo.io;
@@ -46,6 +45,8 @@ message ApiDocSpec {
     // The gRPC schema specification language. Specify only one schema type.
     GrpcSchema grpc = 2;
 
+    // <b>Unsupported</b>: The GraphQL integration is no longer supported.
+    //
     // The graphQL schema specification language. Specify only one schema type.
     GraphQLSchema graphql = 3;
   }
@@ -82,17 +83,9 @@ message ApiDocSpec {
     string inline_string = 1;
   }
 
-  // A complete gRPC schema describing the API.
+  // <b>Unsupported</b>: The GraphQL integration is no longer supported.
   //
-  // **Example**: In this gRPC example for a basic user service app,
-  // the base64-encoded descriptor includes a set of fields that are defined
-  // for various queries, such as `UserSearch` and `UserByCountry`. For detailed
-  // information about the settings in this example, see
-  // [gRPC schema](https://docs.solo.io/gloo-mesh-gateway/latest/graphql/resolvers/resolved/resolver_grpc/)
-  // in the GraphQL integration documentation.
-  // ```yaml
-  // {{% readfile file="static/content/examples/generated/int/graphql_routes/cluster-1/api-doc_bookinfo_grpc-schema.yaml" %}}
-  // ```
+  // A complete gRPC schema describing the API.
   message GrpcSchema {
     // Protobuf descriptors that represent the gRPC services provided by your API, encoded in base64.
     // For more information, see the
@@ -101,19 +94,13 @@ message ApiDocSpec {
 
   }
 
+  // <b>Unsupported</b>: The GraphQL integration is no longer supported.
+  //
   // Provide a schema definition in GraphQL SDL format.
   // The GraphQL schema also has logging options for logging sensitive
   // request-related information, and schema extension configuration such as
   // custom type definitions. For more information about the different schema features,
   // see the [GraphQL documentation](https://graphql.org/learn/schema/).
-  //
-  // **Example**: In this GraphQL example for the Bookinfo sample app, a query type and object
-  // types are defined. For detailed information about the settings in this example, see
-  // [Example GraphQL ApiDoc](https://docs.solo.io/gloo-mesh-gateway/latest/graphql/apidoc/#example-graphql-apidoc)
-  // in the GraphQL integration documentation.
-  // ```yaml
-  // {{% readfile file="static/content/examples/generated/int/graphql_proxied_introspection/cluster-1/api-doc_bookinfo_music-schema.yaml" %}}
-  // ```
   message GraphQLSchema {
     // Required: The GraphQL schema definition. Root-level query and mutation
     // types are supported, and you must define at least a query type.

api/gloo.solo.io/internal/insights/v2alpha1/insights.proto

@@ -101,10 +101,11 @@ message Insight {
       SYS0012Data SYS0012 = 25;
       SYS0014Data SYS0014 = 27;
       SYS0015Data SYS0015 = 28;
-      SYS0019Data SYS0019 = 29; // Adding so UI works for mock - might change later
       SYS0020Data SYS0020 = 30;
       SYS0025Data SYS0025 = 31;
     }
+
+    reserved 29;
   }
 
   // Agent Deployent Reference
@@ -229,17 +230,13 @@ message Insight {
     int32 value = 1;
   }
 
-  // Adding so UI works for mock - might change later
-  message SYS0019Data {
-    string cilium_version = 1;
-  }
-
   // resource counts
   message SYS0020Data {
     int32 istio_resources = 1;
-    int32 cilium_resources = 2;
     int32 k8s_resources = 3;
     int32 gateway_resources = 4;
     int32 solo_resources = 5;
+
+    reserved 2;
   }
 }

api/gloo.solo.io/networking/v2/virtual_gateway.proto

@@ -230,8 +230,10 @@ message VirtualGatewaySpec {
     message HTTPServer {
 
     }
-
-    // $hide_from_docs TODO: TCPServer
+    
+    // Serve TCP routes for RouteTables that select this gateway.
+    // Make sure to open a TCP port on the backing Istio ingress gateway,
+    // which might require upgrading your IstioLifecycleManager or Helm installation.
     message TCPServer {
 
     }

api/gloo.solo.io/policy/v2/resilience/adaptive_request_concurrency_policy.proto

@@ -51,7 +51,6 @@ option (extproto.clone_all) = true;
 message AdaptiveRequestConcurrencyPolicySpec {
 
   // Destinations to apply the concurrency limit to.
-  // Note that external services are not supported as destinations with this policy.
   // If empty, the policy applies to all destinations in the workspace.
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 1;
 

api/gloo.solo.io/policy/v2/resilience/failover_policy.proto

@@ -69,10 +69,6 @@ message FailoverPolicySpec {
 
   // Select the destinations to apply the policy to by using labels.
   // If empty, the policy applies to all destinations in the workspace.
-  // {{< alert context="info" >}}
-  // The destinations can be Kubernetes services or virtual destinations.
-  // Note that external services are not supported as destinations with this policy.
-  // {{< /alert >}}
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 1;
 
   // The details of the failover policy to apply to the selected virtual destinations.

api/gloo.solo.io/policy/v2/resilience/listener_connection_policy.proto

@@ -18,7 +18,7 @@ option (extproto.clone_all) = true;
 // ListenerConnectionPolicy is used to set configuration for gateway listeners.
 //
 // ```
-// apiVersion: trafficcontrol.policy.gloo.solo.io/v2
+// apiVersion: resilience.policy.gloo.solo.io/v2
 // kind: ListenerConnectionPolicy
 // metadata:
 //   name: my-policy

api/gloo.solo.io/policy/v2/resilience/outlier_detection_policy.proto

@@ -43,11 +43,8 @@ message OutlierDetectionPolicySpec {
   // 
   // </br>**Implementation notes**:<ul>
   // <li>If empty, the policy applies to all destinations in the workspace.</li>
-  // <li>The outlier detection policy currently supports selecting Gloo virtual destinations.
-  // Selecting Kubernetes services is not supported. To select a Gloo external service,
-  // the external service must refer to a service that is outside the service mesh
-  // but within the same cluster environment. Selecting Gloo external services that
-  // refer to a service outside the cluster is not supported.</li></ul>
+  // <li>This policy currently supports selecting Gloo virtual destinations or external services.
+  // Selecting Kubernetes services is not supported.</li></ul>
   //
   // **Configuration constraints**: `applyToDestinations.kind` must equal either `VIRTUAL_DESTINATION` or `EXTERNAL_SERVICE`.
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 1;

api/gloo.solo.io/policy/v2/security/ext_auth_policy.proto

@@ -56,7 +56,7 @@ message ExtAuthPolicySpec {
   // Destinations to apply the policy to.
   //
   // </br>**Implementation notes**:
-  // <li>Only Kubernetes services can be specified. Virtual destinations or external services are not supported.</li>
+  // <li>{{< reuse "conrefs/snippets/field-desc/dest-no-vdest.md" >}}</li>
   // <li>If empty and `applyToRoutes` is unset, the policy applies to all destinations in the workspace.</li>
   // <li>If empty and `applyToRoutes` is set, the policy does not apply to any destinations in the workspace.</li></ul>
   //

api/gloo.solo.io/policy/v2/security/jwt_policy.proto

@@ -105,7 +105,8 @@ message JWTPolicySpec {
   // If omitted and the policy selects a destination, the policy does not apply to any routes.
   repeated .common.gloo.solo.io.RouteSelector apply_to_routes = 1;
 
-  // Select the destinations where the policy will be applied. Only Kubernetes services are supported.
+  // Select the destinations where the policy will be applied.
+  // {{< reuse "conrefs/snippets/field-desc/dest-no-vdest.md" >}}
   // By default if omitted, the policy does not apply to any destinations.
   // If empty (`{}`), the policy applies to all destinations in the workspace.
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 3;

api/gloo.solo.io/policy/v2/trafficcontrol/ratelimit_policy.proto

@@ -29,8 +29,7 @@ message RateLimitPolicySpec {
   repeated .common.gloo.solo.io.RouteSelector apply_to_routes = 1;
 
   // Select the destinations where the policy will be applied.
-  // Note that rate limit outputs are only translated for destinations that are Kubernetes services.
-  // External services and virtual destinations are not supported as destinations with this policy.
+  // {{< reuse "conrefs/snippets/field-desc/dest-no-vdest.md" >}}
   // If empty, the rate limit policy applies to all destinations in the workspace.
   // If the destination selector is empty but the route selector is set, no rate limits are applied on destinations, only on routes.
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 2;

client-go/admin.gloo.solo.io/v2/root_trust_policy.pb.go

@@ -1,3 +1,55 @@
+// A RootTrustPolicy is used to designate the root of trust, including the trust domain and root
+// certificates used by one or more service meshes. With a RootTrustPolicy, you can set
+// set up an Istio root CA and use that root CA to automatically issue intermediate CA certificates
+// for all your workload clusters that make up your multicluster service mesh. Because all intermediate CA certificates are
+// derived from the same root, your workloads can securely talk to each other, even across cluster boundaries.
+// This approach is also referred to as federated trust.
+//
+// You have the option to fully or partially manage the Istio CA certificate lifecycle. The
+// option that is right for you depends on the type of environment that you have and the level
+// of control you want to have over the Istio CA certificate lifecycle.
+//
+// ## Examples
+//
+// The following example instructs {{% reuse "conrefs/snippets/policies/ov_fault_injection.md" %}} to
+// create a self-signed root CA certificate that is valid for 730 days.
+//
+// ```yaml
+// apiVersion: admin.gloo.solo.io/v2
+// kind: RootTrustPolicy
+// metadata:
+//  name: root-trust-policy
+//  namespace: gloo-mesh
+// spec:
+//   config:
+//     mgmtServerCa:
+//       generated:
+//         ttlDays: 730
+// ```
+//
+// To bring your own root CA certificate, store the root CA credentials in a Kubernetes secret. Then,
+// reference this secret in your RootTrustPolicy.
+//
+// ```yaml
+// apiVersion: admin.gloo.solo.io/v2
+// kind: RootTrustPolicy
+// metadata:
+//   name: istio-ingressgateway
+//   namespace: gloo-mesh
+// spec:
+//   config:
+//     mgmtServerCa:
+//       secretRef:
+//         name: my-root-trust-cert
+//         namespace: gloo-mesh
+// ```
+//
+// {{% alert %}}
+// Creating a RootTrustPoliy resource triggers the renewal of Istio certificates.
+// If your service mesh uses sidecars, you must restart your applications
+// to apply the latest certificate.
+// {{% /alert %}}
+
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
@@ -26,8 +78,6 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 
-// RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes.
-// A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).
 type RootTrustPolicySpec struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -337,12 +387,14 @@ type isRootTrustPolicySpec_Config_MgmtServerCertificateAuthority_CaSource interf
 }
 
 type RootTrustPolicySpec_Config_MgmtServerCertificateAuthority_Generated struct {
-	// Generate a self-signed root certificate with the given options.
+	// Generate a self-signed root certificate with the given options. By default, the root CA
+	// is valid for 1 year.
 	Generated *tls.CommonCertOptions `protobuf:"bytes,1,opt,name=generated,proto3,oneof"`
 }
 
 type RootTrustPolicySpec_Config_MgmtServerCertificateAuthority_SecretRef struct {
-	// Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority.
+	// The name of a Kubernetes secret in the same namespace as the RootTrustPolicy that contains the
+	// root certificate authority.
 	// Provided certificates must conform to a specified format, [documented here]({{< link path="/setup/prod/certs/relay/" >}}).
 	SecretRef *v1.ObjectRef `protobuf:"bytes,2,opt,name=secret_ref,json=secretRef,proto3,oneof"`
 }