Define targetRef proto (#2888)

* Define protobuf for PolicyTargetReference

Signed-off-by: Jackie Elliott <[email protected]>

* Add targetRef to AuthorizationPolicy, Telemetry, WasmPlugin,
ProxyConfig, and RequestAuthentication.

Need more examples.

Signed-off-by: Jackie Elliott <[email protected]>

* Add examples

Signed-off-by: Jackie Elliott <[email protected]>

* Moved targetRef def to selector.proto. Removed kubebuilder
comments. Added release note for targetRef.

Signed-off-by: Jackie Elliott <[email protected]>

* Add oneof to CRD protos. Add clarifying comments about intended
use of taretRef.

Signed-off-by: Jackie Elliott <[email protected]>

* Remove targetRef from ProxyConfig

Signed-off-by: Jackie Elliott <[email protected]>

* Removed root namespace references and ingress gateway targetRef
examples.

Signed-off-by: Jackie Elliott <[email protected]>

* Hide API changes from docs and remove examples until impl is
complete

Signed-off-by: Jackie Elliott <[email protected]>

* Remove telemtry example until impl complete

Signed-off-by: Jackie Elliott <[email protected]>

* add clarification resource must be in same ns as policy and add
oneof to wasm plugin.

Signed-off-by: Jackie Elliott <[email protected]>

* Remove oneof in to avoid go changes.

Signed-off-by: Jackie Elliott <[email protected]>

* update release note to clarify scope is limited to waypoints

Signed-off-by: Jackie Elliott <[email protected]>

* Update authorizationPolicy selector comment

Signed-off-by: Jackie Elliott <[email protected]>

* clarify in targetRef description only waypoint is supported as a
targeted resource

Signed-off-by: Jackie Elliott <[email protected]>

* add k8s gateway references

Signed-off-by: Jackie Elliott <[email protected]>

* Respond to PR feedback and add selector example.

Signed-off-by: Jackie Elliott <[email protected]>

* Address nits

Signed-off-by: Jackie Elliott <[email protected]>

---------

Signed-off-by: Jackie Elliott <[email protected]>

Author: jaellio

extensions/v1alpha1/wasm.pb.go

@@ -240,8 +240,22 @@ message WasmPlugin {
   // namespace. If the `WasmPlugin` is present in the config root
   // namespace, it will be applied to all applicable workloads in any
   // namespace.
+  //
+  // At most one of the selector and targetRef can be set.
   istio.type.v1beta1.WorkloadSelector selector = 1;
 
+  // $hide_from_docs
+  // Optional. The targetRef specifies the gateway the policy should be 
+  // applied to. The targeted resource specified will determine which 
+  // workloads the WasmPlugin applies to. The targeted resource must be 
+  // a `Gateway` in the group `gateway.networking.k8s.io`. The gateway
+  // must be in the same namespace as the policy.
+  //
+  // If the `targetRef` is not set, the policy is applied as defined by the selector.
+  // At most one of the selector and targetRef can be set.
+  // Waypoint proxies will not respect selectors even if they match.
+  istio.type.v1beta1.PolicyTargetReference targetRef = 15;
+
   // URL of a Wasm module or OCI container. If no scheme is present,
   // defaults to `oci://`, referencing an OCI image. Other valid schemes
   // are `file://` for referencing .wasm module files present locally

extensions/v1alpha1/wasm.pb.html

@@ -36539,6 +36539,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 15,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "url",
@@ -46818,6 +46823,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 5,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "rules",
@@ -47188,6 +47198,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 3,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "jwt_rules",
@@ -47314,6 +47329,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 5,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "rules",
@@ -47764,6 +47784,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 3,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "jwt_rules",
@@ -47918,6 +47943,11 @@
                 "name": "selector",
                 "type": "istio.type.v1beta1.WorkloadSelector"
               },
+              {
+                "id": 5,
+                "name": "targetRef",
+                "type": "istio.type.v1beta1.PolicyTargetReference"
+              },
               {
                 "id": 2,
                 "name": "tracing",
@@ -48279,6 +48309,31 @@
                 "type": "uint32"
               }
             ]
+          },
+          {
+            "name": "PolicyTargetReference",
+            "fields": [
+              {
+                "id": 1,
+                "name": "group",
+                "type": "string"
+              },
+              {
+                "id": 2,
+                "name": "kind",
+                "type": "string"
+              },
+              {
+                "id": 3,
+                "name": "name",
+                "type": "string"
+              },
+              {
+                "id": 4,
+                "name": "namespace",
+                "type": "string"
+              }
+            ]
           }
         ],
         "imports": [

extensions/v1alpha1/wasm.proto

@@ -0,0 +1,12 @@
+apiVersion: release-notes/v2
+kind: feature
+area: traffic-management
+issue:
+  - https://github.com/istio/api/issues/2885
+
+releaseNotes:
+  - |
+    **Added** PolicyTargetReference definition to be used in the RequestAuthentication, AuthorizationPolicy, Telemetry, and WasmPlugin CRDs to target k8s gateways.
+
+docs:
+  - https://docs.google.com/document/d/1MaMdyIQdOwq7mGCVMYW56FED9HrkJa93Nd0S0zBwws4/edit?usp=sharing