Sync APIs. @tag-name=gloo-mesh-v2.6.7

api/gloo.solo.io/admin/v2/root_trust_policy.proto

@@ -1,3 +1,54 @@
+// A RootTrustPolicy is used to designate the root of trust, including the trust domain and root
+// certificates used by one or more service meshes. With a RootTrustPolicy, you can set
+// set up an Istio root CA and use that root CA to automatically issue intermediate CA certificates
+// for all your workload clusters that make up your multicluster service mesh. Because all intermediate CA certificates are
+// derived from the same root, your workloads can securely talk to each other, even across cluster boundaries.
+// This approach is also referred to as federated trust.
+//
+// You have the option to fully or partially manage the Istio CA certificate lifecycle. The
+// option that is right for you depends on the type of environment that you have and the level
+// of control you want to have over the Istio CA certificate lifecycle.
+//
+// ## Examples
+//
+// The following example instructs {{% reuse "conrefs/snippets/policies/ov_fault_injection.md" %}} to 
+// create a self-signed root CA certificate that is valid for 730 days. 
+//
+// ```yaml
+// apiVersion: admin.gloo.solo.io/v2
+// kind: RootTrustPolicy
+// metadata:
+//  name: root-trust-policy
+//  namespace: gloo-mesh
+// spec:
+//   config:
+//     mgmtServerCa:
+//       generated:
+//         ttlDays: 730
+// ```
+//
+// To bring your own root CA certificate, store the root CA credentials in a Kubernetes secret. Then,
+// reference this secret in your RootTrustPolicy. 
+//
+// ```yaml
+// apiVersion: admin.gloo.solo.io/v2
+// kind: RootTrustPolicy
+// metadata:
+//   name: istio-ingressgateway
+//   namespace: gloo-mesh
+// spec:
+//   config:
+//     mgmtServerCa:
+//       secretRef:
+//         name: my-root-trust-cert
+//         namespace: gloo-mesh
+// ```
+//
+// {{% alert %}}
+// Creating a RootTrustPoliy resource triggers the renewal of Istio certificates.
+// If your service mesh uses sidecars, you must restart your applications
+// to apply the latest certificate.
+// {{% /alert %}}
 syntax = "proto3";
 
 package admin.gloo.solo.io;
@@ -14,8 +65,6 @@ option (extproto.equal_all) = true;
 option (extproto.hash_all) = true;
 option (extproto.clone_all) = true;
 
-// RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes.
-// A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).
 message RootTrustPolicySpec {
 
   // select the meshes where the root of trust will be applied.
@@ -52,10 +101,12 @@ message RootTrustPolicySpec {
       // Specify the source of the Root CA data which Gloo Mesh will use for the RootTrustPolicy.
       oneof ca_source {
 
-        // Generate a self-signed root certificate with the given options.
+        // Generate a self-signed root certificate with the given options. By default, the root CA
+        // is valid for 1 year.
         .tls.security.policy.gloo.solo.io.CommonCertOptions generated = 1;
 
-        // Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority.
+        // The name of a Kubernetes secret in the same namespace as the RootTrustPolicy that contains the
+        // root certificate authority.
         // Provided certificates must conform to a specified format, [documented here]({{< link path="/setup/prod/certs/relay/" >}}).
         .core.skv2.solo.io.ObjectRef secret_ref = 2;
 

api/gloo.solo.io/apimanagement/v2/api_doc.proto

@@ -4,7 +4,6 @@
 // The ApiDoc type is used to represent different types of API schema specification languages:
 // - OpenAPI
 // - gRPC
-// - GraphQL
 syntax = "proto3";
 
 package apimanagement.gloo.solo.io;
@@ -45,6 +44,8 @@ message ApiDocSpec {
     // The gRPC schema specification language. Specify only one schema type.
     GrpcSchema grpc = 2;
 
+    // <b>Unsupported</b>: The GraphQL integration is no longer supported.
+    //
     // The graphQL schema specification language. Specify only one schema type.
     GraphQLSchema graphql = 3;
   }
@@ -81,17 +82,9 @@ message ApiDocSpec {
     string inline_string = 1;
   }
 
-  // A complete gRPC schema describing the API.
+  // <b>Unsupported</b>: The GraphQL integration is no longer supported.
   //
-  // **Example**: In this gRPC example for a basic user service app,
-  // the base64-encoded descriptor includes a set of fields that are defined
-  // for various queries, such as `UserSearch` and `UserByCountry`. For detailed
-  // information about the settings in this example, see
-  // [gRPC schema](https://docs.solo.io/gloo-mesh-gateway/latest/graphql/resolvers/resolved/resolver_grpc/)
-  // in the GraphQL integration documentation.
-  // ```yaml
-  // {{% readfile file="static/content/examples/generated/int/graphql_routes/cluster-1/api-doc_bookinfo_grpc-schema.yaml" %}}
-  // ```
+  // A complete gRPC schema describing the API.
   message GrpcSchema {
     // Protobuf descriptors that represent the gRPC services provided by your API, encoded in base64.
     // For more information, see the
@@ -100,19 +93,13 @@ message ApiDocSpec {
 
   }
 
+  // <b>Unsupported</b>: The GraphQL integration is no longer supported.
+  //
   // Provide a schema definition in GraphQL SDL format.
   // The GraphQL schema also has logging options for logging sensitive
   // request-related information, and schema extension configuration such as
   // custom type definitions. For more information about the different schema features,
   // see the [GraphQL documentation](https://graphql.org/learn/schema/).
-  //
-  // **Example**: In this GraphQL example for the Bookinfo sample app, a query type and object
-  // types are defined. For detailed information about the settings in this example, see
-  // [Example GraphQL ApiDoc](https://docs.solo.io/gloo-mesh-gateway/latest/graphql/apidoc/#example-graphql-apidoc)
-  // in the GraphQL integration documentation.
-  // ```yaml
-  // {{% readfile file="static/content/examples/generated/int/graphql_proxied_introspection/cluster-1/api-doc_bookinfo_music-schema.yaml" %}}
-  // ```
   message GraphQLSchema {
     // Required: The GraphQL schema definition. Root-level query and mutation
     // types are supported, and you must define at least a query type.

api/gloo.solo.io/internal/insights/v2alpha1/insights.proto

@@ -101,7 +101,6 @@ message Insight {
       SYS0012Data SYS0012 = 25;
       SYS0014Data SYS0014 = 27;
       SYS0015Data SYS0015 = 28;
-      SYS0019Data SYS0019 = 29; // Adding so UI works for mock - might change later
       SYS0020Data SYS0020 = 30;
       SYS0025Data SYS0025 = 31;
     }
@@ -229,15 +228,9 @@ message Insight {
     int32 value = 1;
   }
 
-  // Adding so UI works for mock - might change later
-  message SYS0019Data {
-    string cilium_version = 1;
-  }
-
   // resource counts
   message SYS0020Data {
     int32 istio_resources = 1;
-    int32 cilium_resources = 2;
     int32 k8s_resources = 3;
     int32 gateway_resources = 4;
     int32 solo_resources = 5;

api/gloo.solo.io/internal/v2alpha1/virtual_service_backup.proto

@@ -0,0 +1,13 @@
+syntax = "proto3";
+package internal.gloo.solo.io;
+
+import "istio.io/api/networking/v1beta1/virtual_service.proto";
+import "github.com/solo-io/solo-apis/api/gloo.solo.io/common/v2/references.proto";
+
+option go_package = "github.com/solo-io/solo-apis/client-go/internal.gloo.solo.io/v2alpha1";
+
+message VirtualServiceBackupSpec {
+  // The VirtualService spec that is being backed up
+  // $hide_from_docs
+  istio.networking.v1beta1.VirtualService spec = 1;
+}

api/gloo.solo.io/networking/v2/virtual_gateway.proto

@@ -249,8 +249,10 @@ message VirtualGatewaySpec {
     message HTTPServer {
 
     }
-
-    // $hide_from_docs TODO: TCPServer
+
+    // Serve TCP routes for RouteTables that select this gateway.
+    // Make sure to open a TCP port on the backing Istio ingress gateway,
+    // which might require upgrading your IstioLifecycleManager or Helm installation.
     message TCPServer {
 
     }

api/gloo.solo.io/networking/v2alpha1/progressive_delivery.proto

@@ -0,0 +1,77 @@
+syntax = "proto3";
+package networking.gloo.solo.io;
+
+import "extproto/ext.proto";
+import "istio.io/api/networking/v1beta1/virtual_service.proto";
+import "github.com/solo-io/solo-apis/api/gloo.solo.io/common/v2/status.proto";
+import "github.com/solo-io/solo-apis/api/gloo.solo.io/common/v2/references.proto";
+
+option go_package = "github.com/solo-io/solo-apis/client-go/networking.gloo.solo.io/v2alpha1";
+
+option (extproto.equal_all) = true;
+option (extproto.clone_all) = true;
+option (extproto.hash_all) = true;
+
+// $hide_from_docs
+message ProgressiveDeliverySpec {
+
+  // +kubebuilder:validation:Required
+  .common.gloo.solo.io.ObjectReference route_table_ref = 1;
+
+  // +kubebuilder:validation:MinItems=1
+  repeated VirtualServiceRoute virtual_service_patch = 2;
+
+  // $hide_from_docs
+  message VirtualServiceRoute {
+    string name = 1;
+
+    // +kubebuilder:validation:MinItems=1
+    // +kubebuilder:validation:Required
+    repeated HttpRouteDestination route = 2;
+  }
+
+  // $hide_from_docs
+  message HttpRouteDestination {
+    // +kubebuilder:validation:Required
+    Destination destination = 1;
+
+    // +kubebuilder:default=0
+    int32 weight = 2;
+  }
+}
+
+// $hide_from_docs
+message ProgressiveDeliveryStatus {
+  // The state of the applied resource
+  .common.gloo.solo.io.Status common = 1;
+
+  // Any Virtual Service that was successfully patched
+  repeated .common.gloo.solo.io.ObjectReference patchedVirtualServices = 2;
+
+  // Any Virtual Service that failed to patch
+  repeated .common.gloo.solo.io.ObjectReference failedToPatchVirtualServices = 3;
+}
+
+// $hide_from_docs
+message Destination {
+  // The name of a service from the service registry. Service
+	// names are looked up from the platform's service registry (e.g.,
+	// Kubernetes services, Consul services, etc.) and from the hosts
+	// declared by ServiceEntry.
+  // +kubebuilder:validation:Required
+  string host = 1;
+
+	// Either the name or labels of a subset within the service, only one can be set. 
+  // +kubebuilder:validation:Required
+  // +kubebuilder:validation:XValidation:rule="has(self.name) ? !has(self.labels) : has(self.labels)",message="either name or labels must be set, but not both."
+  SubsetSelector subset = 2;
+
+  // Specifies the port on the host that is being addressed.
+  istio.networking.v1beta1.PortSelector port = 3;
+}
+
+// $hide_from_docs
+message SubsetSelector {
+  string name = 1;
+  map<string, string> labels = 2;
+}

api/gloo.solo.io/policy/v2/resilience/adaptive_request_concurrency_policy.proto

@@ -51,7 +51,6 @@ option (extproto.clone_all) = true;
 message AdaptiveRequestConcurrencyPolicySpec {
 
   // Destinations to apply the concurrency limit to.
-  // Note that external services are not supported as destinations with this policy.
   // If empty, the policy applies to all destinations in the workspace.
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 1;
 

api/gloo.solo.io/policy/v2/resilience/failover_policy.proto

@@ -69,10 +69,6 @@ message FailoverPolicySpec {
 
   // Select the destinations to apply the policy to by using labels.
   // If empty, the policy applies to all destinations in the workspace.
-  // {{< alert context="info" >}}
-  // The destinations can be Kubernetes services or virtual destinations.
-  // Note that external services are not supported as destinations with this policy.
-  // {{< /alert >}}
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 1;
 
   // The details of the failover policy to apply to the selected virtual destinations.

api/gloo.solo.io/policy/v2/resilience/listener_connection_policy.proto

@@ -18,7 +18,7 @@ option (extproto.clone_all) = true;
 // ListenerConnectionPolicy is used to set configuration for gateway listeners.
 //
 // ```
-// apiVersion: trafficcontrol.policy.gloo.solo.io/v2
+// apiVersion: resilience.policy.gloo.solo.io/v2
 // kind: ListenerConnectionPolicy
 // metadata:
 //   name: my-policy

api/gloo.solo.io/policy/v2/resilience/outlier_detection_policy.proto

@@ -43,11 +43,8 @@ message OutlierDetectionPolicySpec {
   // 
   // </br>**Implementation notes**:<ul>
   // <li>If empty, the policy applies to all destinations in the workspace.</li>
-  // <li>The outlier detection policy currently supports selecting Gloo virtual destinations.
-  // Selecting Kubernetes services is not supported. To select a Gloo external service,
-  // the external service must refer to a service that is outside the service mesh
-  // but within the same cluster environment. Selecting Gloo external services that
-  // refer to a service outside the cluster is not supported.</li></ul>
+  // <li>This policy currently supports selecting Gloo virtual destinations or external services.
+  // Selecting Kubernetes services is not supported.</li></ul>
   //
   // **Configuration constraints**: `applyToDestinations.kind` must equal either `VIRTUAL_DESTINATION` or `EXTERNAL_SERVICE`.
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 1;

api/gloo.solo.io/policy/v2/security/ext_auth_policy.proto

@@ -55,7 +55,7 @@ message ExtAuthPolicySpec {
   // Destinations to apply the policy to.
   //
   // </br>**Implementation notes**:
-  // <li>Only Kubernetes services can be specified. Virtual destinations or external services are not supported.</li>
+  // <li>{{< reuse "conrefs/snippets/field-desc/dest-no-vdest.md" >}}</li>
   // <li>If empty and `applyToRoutes` is unset, the policy applies to all destinations in the workspace.</li>
   // <li>If empty and `applyToRoutes` is set, the policy does not apply to any destinations in the workspace.</li></ul>
   //

api/gloo.solo.io/policy/v2/security/jwt_policy.proto

@@ -104,7 +104,8 @@ message JWTPolicySpec {
   // If omitted and the policy selects a destination, the policy does not apply to any routes.
   repeated .common.gloo.solo.io.RouteSelector apply_to_routes = 1;
 
-  // Select the destinations where the policy will be applied. Only Kubernetes services are supported.
+  // Select the destinations where the policy will be applied.
+  // {{< reuse "conrefs/snippets/field-desc/dest-no-vdest.md" >}}
   // By default if omitted, the policy does not apply to any destinations.
   // If empty (`{}`), the policy applies to all destinations in the workspace.
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 3;

api/gloo.solo.io/policy/v2/trafficcontrol/ratelimit_policy.proto

@@ -28,8 +28,7 @@ message RateLimitPolicySpec {
   repeated .common.gloo.solo.io.RouteSelector apply_to_routes = 1;
 
   // Select the destinations where the policy will be applied.
-  // Note that rate limit outputs are only translated for destinations that are Kubernetes services.
-  // External services and virtual destinations are not supported as destinations with this policy.
+  // {{< reuse "conrefs/snippets/field-desc/dest-no-vdest.md" >}}
   // If empty, the rate limit policy applies to all destinations in the workspace.
   // If the destination selector is empty but the route selector is set, no rate limits are applied on destinations, only on routes.
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 2;