Sync Gloo Mesh APIs. Destination Branch: gloo-mesh-v2.5.x (#1091)

Co-authored-by: soloio-bot <[email protected]>

api/gloo.solo.io/admin/v2/ext_auth_server.proto

@@ -44,16 +44,17 @@ message ExtAuthServerSpec {
   // Set this if you also want to send the body of the request, and not just the headers.
   BufferSettings request_body = 5;
 
-  // Clears route cache in order to allow the external authorization service to correctly affect
-  // routing decisions. Filter clears all cached routes when:
+  // Clear the route cache to force the external auth service to recalculate the routing decision.
+  // All cached routes are cleared if one of the following conditions is met. 
   //
   // 1. The field is set to *true*.
   //
-  // 2. The status returned from the authorization service is a HTTP 200 or gRPC 0.
+  // 2. The external auth service returns a HTTP 200 or gRPC 0 response code.
   //
-  // 3. At least one *authorization response header* is added to the client request, or is used for
-  // altering another client request header.
+  // 3. At least one *authorization response header* is added to the client request, or is used to
+  // alter another client request header.
   //
+  // The default value is **false**. 
   bool clear_route_cache = 6;
 
   // Sets the HTTP status that is returned to the client when there is a network error between the

api/gloo.solo.io/admin/v2/gateway_lifecycle_manager.proto

@@ -372,6 +372,11 @@ message GatewayLifecycleManagerStatus {
         // The gateway installation state could not be determined. 
         UNKNOWN = 9;
 
+        // The gateway is currently being uninstalled.
+        UNINSTALLING_GATEWAY = 10;
+
+        // The gateway is uninstalled.
+        UNINSTALLED_GATEWAY = 11;
       }
     }
   }

api/gloo.solo.io/admin/v2/istio_lifecycle_manager.proto

@@ -251,6 +251,12 @@ message IstioLifecycleManagerStatus {
 
         // The control plane installation state could not be determined.
         UNKNOWN = 11;
+
+        // The Istio control plane is currently being uninstalled.
+        UNINSTALLING_CONTROL_PLANE = 12;
+
+        // The Istio control plane is uninstalled.
+        UNINSTALLED_CONTROL_PLANE = 13;
       }
     }
   }

api/gloo.solo.io/admin/v2alpha1/insights_config.proto

@@ -19,7 +19,7 @@ option (extproto.clone_all) = true;
 // based on the insight code.
 // For example, to disable the insight CFG002:
 //```yaml
-// apiVersion: admin.gloo.solo.io/v2
+// apiVersion: admin.gloo.solo.io/v2alpha1
 // kind: InsightsConfig
 // metadata:
 //   name: insights-config

api/gloo.solo.io/internal/insights/v2alpha1/insights.proto

@@ -91,14 +91,13 @@ message Insight {
 
   message Data {
     oneof data {
+      SYS0003Data SYS0003 = 18;
       SYS0006Data SYS0006 = 19;
       SYS0007Data SYS0007 = 20;
       SYS0008Data SYS0008 = 21;
       SYS0009Data SYS0009 = 22;
       SYS0010Data SYS0010 = 23;
       SYS0011Data SYS0011 = 24;
-      SYS0012Data SYS0012 = 25;
-      SYS0013Data SYS0013 = 26;
       SYS0014Data SYS0014 = 27;
       SYS0015Data SYS0015 = 28;
       SYS0019Data SYS0019 = 29; // Adding so UI works for mock - might change later
@@ -107,6 +106,10 @@ message Insight {
     }
   }
 
+  // Agent Deployent Reference
+  message SYS0003Data {
+    .core.skv2.solo.io.TypedClusterObjectRef deployment_ref = 1;
+  }
 
   // CRDs
   message SYS0006Data {
@@ -207,6 +210,8 @@ message Insight {
     int32 out_of_mesh_services = 2;
     int32 sidecar_services = 3;
     int32 ambient_services = 4;
+    int32 gateway_services = 5;
+    int32 total_services = 6;
   }
 
   // zero trust - workloads receiving mesh encrypted traffic

api/gloo.solo.io/networking/v2/external_service.proto

@@ -75,6 +75,7 @@ message ExternalServiceSpec {
     // A list of egress VirtualGateways via which this ExternalService is reachable.
     // This is required in meshes that are configured to deny all traffic that is not explicitly allowed.
     // Requires the ExternalService to use Hosts rather than Addresses.
+    // Currently only supported for ExternalService ports with HTTP, HTTP2, and HTTPS protocols.
     EgressGatewayRoutes egress_gateway_routes = 6;
 
     message TlsConfig {
@@ -115,6 +116,8 @@ message ExternalServiceSpec {
       // The port number to match for traffic originating from the mesh.
       // default to 80.
       // must be unique for each ExternalService port.
+      // Note that if this field matches any ExternalService non-egress port (spec.ports.number),
+      // requests to this port may not be routed through the egress gateway.
       uint32 port_match = 1;
 
       // Reference to the virtual gateways to use for egress.

api/gloo.solo.io/networking/v2/route_table.proto

@@ -35,11 +35,11 @@ option (extproto.clone_all) = true;
 // depending on the configuration of the `virtualGateways` field.
 //
 // The following example defines route configuration for the 'uk.bookinfo.com' and 'eu.bookinfo.com' hosts.
-// Traffic arrives at the `my-gateway` virtual gateway in the `my-gateway-ws` workspace. 
+// Traffic arrives at the `my-gateway` virtual gateway in the `my-gateway-ws` workspace.
 // The route table sets up several different matchers to direct HTTP traffic.
-// * When the cookie in the header matches to `user=dev-123`, HTTP traffic is forwarded to the port `7777` of the `v1` of `reviews.qa` service. 
+// * When the cookie in the header matches to `user=dev-123`, HTTP traffic is forwarded to the port `7777` of the `v1` of `reviews.qa` service.
 // * When the path matches exactly to `/reviews/`, 80% traffic is forwarded to port 9080
-// of the `reviews.prod` service and 20% traffic is forwarded to port 9080 of the `reviews.qa` service. 
+// of the `reviews.prod` service and 20% traffic is forwarded to port 9080 of the `reviews.qa` service.
 // * All other HTTP traffic is sent to the default destination, which is port 9080 of `reviews.prod` service in the `bookinfo` workspace.
 // ```yaml
 // apiVersion: networking.gloo.solo.io/v2
@@ -71,7 +71,7 @@ option (extproto.clone_all) = true;
 //           - ref:
 //               name: reviews
 //               namespace: qa
-//             subset: 
+//             subset:
 //               version: v1
 //             port:
 //               number: 7777
@@ -91,10 +91,10 @@ option (extproto.clone_all) = true;
 //             weight: 20
 // ```
 //
-// The following example defines route configuration for the 'uk.bookinfo.com' and 'eu.bookinfo.com' hosts. 
+// The following example defines route configuration for the 'uk.bookinfo.com' and 'eu.bookinfo.com' hosts.
 // Traffic arrives at the `my-gateway` virtual gateway in the `my-gateway-ws` workspace. The route table sends traffic to an external cloud function.
 // * When the HTTP route path matches the prefix `/lambda`, traffic is forwarded to the backing `aws-provider` CloudProvider.
-// * The associated `aws-provider` CloudResources resource describes an AWS Lambda service named `logicalName: aws-dest`. 
+// * The associated `aws-provider` CloudResources resource describes an AWS Lambda service named `logicalName: aws-dest`.
 // * The `"SYNC"` option indicates that the AWS Lambda function is invoked synchronously, which is also the default behavior.
 //
 // ```yaml
@@ -224,15 +224,15 @@ message RouteTableSpec {
   // *Note*: Selection of external workloads (VMs) is currently not supported.
   repeated .common.gloo.solo.io.WorkloadSelector workload_selectors = 6;
 
-  //  Optional: Selectors for destinations that shall route traffic by this route table via producer-side side policy (e.g on waypoints) 
+  //  Optional: Selectors for destinations that shall route traffic by this route table via producer-side side policy (e.g on waypoints)
   //
-  // Applying an ambient-backed destinations means that any traffic that reaches the destination, regardless of its origin 
+  // Applying an ambient-backed destinations means that any traffic that reaches the destination, regardless of its origin
   // (mesh, outside mesh), will be subject to the RouteTable's policy.
-  // 
+  //
   // To select all ambient destinations in the workspace, set `applyToDestinations: - {}`.
   //
   // *Note*: applyToDestinations is an alpha API currently implemented only for ambient-enabled meshes.
-  // *Note*: For delegated route tables this field should be empty, as the values from the parent will always be used for destination selection. 
+  // *Note*: For delegated route tables this field should be empty, as the values from the parent will always be used for destination selection.
   // *Note*: Selection of external workloads (VMs), external services, and Destinations with sidecars is currently not supported.
   repeated .common.gloo.solo.io.DestinationSelector apply_to_destinations = 10;
 
@@ -264,15 +264,21 @@ message RouteTableSpec {
 }
 
 // Use HTTP routes to control Layer 7 application level traffic to your services. To configure HTTP routes, you pair together
-// HTTP request `matchers` with certain actions. Matchers are criteria such as a route name, port, header, or method to match 
+// HTTP request `matchers` with certain actions. Matchers are criteria such as a route name, port, header, or method to match
 // with an incoming request. Actions describe what to do with a matching request, such as `forwardTo` a destination or `delegate`
 // to another route table. When an HTTP request matches your HTTP route, Gloo performs the action for that route. You can add
 // metadata such as names and labels to your HTTP routes so that you can apply policies, track metrics, and better manage the routes.
 message HTTPRoute {
   // unique name of the route (within the route table). used to identify the route for metrics
   string name = 1;
 
-  // Labels for the route. used to apply policies which implement routeSelectors.
+  // Labels for the route, which you can use to apply policies that support routeSelectors.
+  //
+  // For enhanced security, include the special label "gateway.gloo.solo.io/require_auth=true"
+  // on the route. To activate this security feature, enable the "gatewayDefaultDenyAllHTTPRequests"
+  // feature flag for your Gloo installation. When both the label and feature flag are in place, Gloo
+  // requires an authentication policy, such as ExtAuthPolicy or JWTPolicy, to be applied to the route.
+  // If the authentication policy is removed or has an error, Gloo rejects all requests to the route.
   map<string, string> labels = 2;
 
   // The set of request matchers which this route will match on. If none are specified, this route will match any HTTP traffic.
@@ -303,11 +309,11 @@ message HTTPRoute {
   }
 }
 
-// Use TCP routes to control lower-level, connection-based traffic to services such as a local database. 
-// TCP routes are available only for internal traffic within the cluster, not for ingress gateway traffic. 
-// To configure TCP routes, you pair together TCP request `matchers` with certain actions. 
-// Matchers are criteria such as a port to match with an incoming request. 
-// Actions describe what to do with a matching request, such as `forwardTo` a destination. 
+// Use TCP routes to control lower-level, connection-based traffic to services such as a local database.
+// TCP routes are available only for internal traffic within the cluster, not for ingress gateway traffic.
+// To configure TCP routes, you pair together TCP request `matchers` with certain actions.
+// Matchers are criteria such as a port to match with an incoming request.
+// Actions describe what to do with a matching request, such as `forwardTo` a destination.
 // When a TCP request matches your TCP route, Gloo performs the action for that route.
 message TCPRoute {
 
@@ -338,7 +344,7 @@ message TLSRoute {
   // When a client request matches a route, Gloo forwards the request to the destination that you specify in this `forwardTo` action.
   message TLSForwardToAction {
 
-    // Define the upstream destination to route the request to. 
+    // Define the upstream destination to route the request to.
     repeated .common.gloo.solo.io.DestinationReference destinations = 1;
   }
 }
@@ -379,7 +385,7 @@ message ForwardToAction {
     // rewrites are available for HTTP routes only and are not supported for TCP routes.
     string path_rewrite = 2;
 
-    // During forwarding, portions of the path that match the pattern are rewritten, even allowing the substitution 
+    // During forwarding, portions of the path that match the pattern are rewritten, even allowing the substitution
     // of capture groups from the pattern into the new path as specified by the rewrite substitution string. This substitution is useful
     // to allow application paths to be rewritten in a way that is aware of segments with variable content like identifiers.
     // Note that regex rewrites are available for RE2 syntax and HTTP routes only.
@@ -581,7 +587,7 @@ message RouteTableStatus {
   // The state and workspace conditions of the applied resource.
   .common.gloo.solo.io.Status common = 1;
 
-  // A map of policy GVK to the number of policies that are applied on this resource, 
+  // A map of policy GVK to the number of policies that are applied on this resource,
   // sorted by GVK.
   map<string, uint32> num_applied_route_policies = 2;
 

api/gloo.solo.io/policy/v2/observability/access_log_policy.proto

@@ -3,7 +3,7 @@
 // that have injected sidecars or are standalone proxies, such as gateways.
 // AccessLogPolicies are applied at the *Workload* level.
 //
-// Note: Be sure to [enable access logging]({{< versioned_link_path fromRoot="/observability/dataplane/service-mesh/access-logs/" >}})
+// Note: Be sure to [enable access logging]({{< versioned_link_path fromRoot="/observability/tools/access-logs/" >}})
 // by modifying your default Istio operator installation.
 //
 // **Example**: This example filters access logs for the `reviews` service, so that only

api/gloo.solo.io/policy/v2/trafficcontrol/transformation_policy.proto

@@ -36,8 +36,9 @@ message TransformationPolicySpec {
 
     message RequestTransformation {
 
-      // If the request was transformed such that it would match a different route,
-      // recalculate the routing destination (select a new route) based on the transformed content of the request.
+      // If set to **true**, recalculate the routing destination and select a new route for transformed requests. 
+      // For example, if you have a request that is transformed to match a new route, the new route is selected 
+      // when calculating the routing destination. The default value is **false**. 
       bool recalculate_routing_destination = 1;
 
       // transform HTTP body and headers using Inja templates.