update dependencies

Signed-off-by: hongming <talonwan@yunify.com>

vendor/istio.io/api/security/v1beta1/request_authentication.proto

@@ -0,0 +1,160 @@
+// Copyright 2019 Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+syntax = "proto3";
+
+import "type/v1beta1/selector.proto";
+import "security/v1beta1/jwt.proto";
+
+// $schema: istio.security.v1beta1.RequestAuthentication
+// $title: RequestAuthentication
+// $description: Request authentication configuration for workloads.
+// $location: https://istio.io/docs/reference/config/security/request_authentication.html
+// $aliases: [/docs/reference/config/security/v1beta1/request_authentication]
+
+package istio.security.v1beta1;
+
+option go_package="istio.io/api/security/v1beta1";
+
+// RequestAuthentication defines what request authentication methods are supported by a workload.
+// If will reject a request if the request contains invalid authentication information, based on the
+// configured authentication rules. A request that does not contain any authentication credentials
+// will be accepted but will not have any authenticated identity. To restrict access to authenticated
+// requests only, this should be accompanied by an authorization rule.
+// Examples:
+//
+// - Require JWT for all request for workloads that have label `app:httpbin`
+//
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: RequestAuthentication
+// metadata:
+//   name: httpbin
+//   namespace: foo
+// spec:
+//   selector:
+//     matchLabels:
+//       app: httpbin
+//   jwtRules:
+//   - issuer: "issuer-foo"
+//     jwksUri: https://example.com/.well-known/jwks.json
+// ---
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizationPolicy
+// metadata:
+//   name: httpbin
+//   namespace: foo
+// spec:
+//   selector:
+//     matchLabels:
+//       app: httpbin
+//   rules:
+//   - from:
+//     - source:
+//         requestPrincipals: ["*"]
+// ```
+//
+// - The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication`
+// declares it can accpet JWTs issuer by either `issuer-foo` or `issuer-bar` (the public key set is implicitly
+// set from the OpenID Connect spec).
+//
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: RequestAuthentication
+// metadata:
+//   name: httpbin
+//   namespace: foo
+// spec:
+//   selector:
+//     matchLabels:
+//       app: httpbin
+//   jwtRules:
+//   - issuer: "issuer-foo"
+//   - issuer: "issuer-bar"
+// ---
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizationPolicy
+// metadata:
+//   name: httpbin
+//   namespace: foo
+// spec:
+//   selector:
+//     matchLabels:
+//       app: httpbin
+//  rules:
+//  - from:
+//    - source:
+//        requestPrincipals: ["issuer-foo/*"]
+//    to:
+//      hosts: ["example.com"]
+//  - from:
+//    - source:
+//        requestPrincipals: ["issuer-bar/*"]
+//    to:
+//      hosts: ["another-host.com"]
+// ```
+//
+// - You can fine tune the authorization policy to set different requirement per path. For example,
+// to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
+// authorization policy could be:
+//
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizationPolicy
+// metadata:
+//   name: httpbin
+//   namespace: foo
+// spec:
+//   selector:
+//     matchLabels:
+//       app: httpbin
+//  rules:
+//  - from:
+//    - source:
+//        requestPrincipals: ["*"]
+//  - to:
+//    - operation:
+//        paths: ["/healthz]
+// ```
+//
+// <!-- crd generation tags
+// +cue-gen:RequestAuthentication:groupName:security.istio.io
+// +cue-gen:RequestAuthentication:version:v1beta1
+// +cue-gen:RequestAuthentication:storageVersion
+// +cue-gen:RequestAuthentication:annotations:helm.sh/resource-policy=keep
+// +cue-gen:RequestAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
+// +cue-gen:RequestAuthentication:subresource:status
+// +cue-gen:RequestAuthentication:scope:Namespaced
+// +cue-gen:RequestAuthentication:resource:categories=istio-io,security-istio-io,shortNames=ra
+// +cue-gen:RequestAuthentication:preserveUnknownFields:false
+// -->
+//
+// <!-- go code generation tags
+// +kubetype-gen
+// +kubetype-gen:groupVersion=security.istio.io/v1beta1
+// +genclient
+// +k8s:deepcopy-gen=true
+// -->
+message RequestAuthentication {
+  // The selector determines the workloads to apply the RequestAuthentication on.
+  // If not set, the policy will be applied to all workloads in the same namespace as the policy.
+  istio.type.v1beta1.WorkloadSelector selector = 1;
+
+  // Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
+  // will be used to extract the authenticated identity.
+  // Each rule will be activated only when a token is presented at the location recorgnized by the
+  // rule. The token will be validated based on the JWT rule config. If validation fails, the request will
+  // be rejected.
+  // Note: if more than one token is presented (at different locations), the output principal is nondeterministic.
+  repeated JWTRule jwt_rules = 2;
+}