proto.networking.v1alpha3.workload_entry.proto Maven / Gradle / Ivy
// Copyright 2020 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "google/api/field_behavior.proto";
// $schema: istio.networking.v1alpha3.WorkloadEntry
// $title: Workload Entry
// $description: Configuration affecting VMs onboarded into the mesh.
// $location: https://istio.io/docs/reference/config/networking/workload-entry.html
// $aliases: [/docs/reference/config/networking/v1alpha3/workload-entry]
// `WorkloadEntry` enables operators to describe the properties of a
// single non-Kubernetes workload such as a VM or a bare metal server
// as it is onboarded into the mesh. A `WorkloadEntry` must be
// accompanied by an Istio `ServiceEntry` that selects the workload
// through the appropriate labels and provides the service definition
// for a `MESH_INTERNAL` service (hostnames, port properties, etc.). A
// `ServiceEntry` object can select multiple workload entries as well
// as Kubernetes pods based on the label selector specified in the
// service entry.
//
// When a workload connects to `istiod`, the status field in the
// custom resource will be updated to indicate the health of the
// workload along with other details, similar to how Kubernetes
// updates the status of a pod.
//
// The following example declares a workload entry representing a VM
// for the `details.bookinfo.com` service. This VM has sidecar
// installed and bootstrapped using the `details-legacy` service
// account. The service is exposed on port 80 to applications in the
// mesh. The HTTP traffic to this service is wrapped in Istio mutual
// TLS and sent to sidecars on VMs on target port 8080, that in turn
// forward it to the application on localhost on the same port.
//
// {{}}
// {{}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: WorkloadEntry
// metadata:
// name: details-svc
// spec:
// # use of the service account indicates that the workload has a
// # sidecar proxy bootstrapped with this service account. Pods with
// # sidecars will automatically communicate with the workload using
// # istio mutual TLS.
// serviceAccount: details-legacy
// address: 2.2.2.2
// labels:
// app: details-legacy
// instance-id: vm1
// ```
// {{ }}
//
// {{}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: WorkloadEntry
// metadata:
// name: details-svc
// spec:
// # use of the service account indicates that the workload has a
// # sidecar proxy bootstrapped with this service account. Pods with
// # sidecars will automatically communicate with the workload using
// # istio mutual TLS.
// serviceAccount: details-legacy
// address: 2.2.2.2
// labels:
// app: details-legacy
// instance-id: vm1
// ```
// {{ }}
// {{ }}
//
// and the associated service entry
//
// {{}}
// {{}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
// metadata:
// name: details-svc
// spec:
// hosts:
// - details.bookinfo.com
// location: MESH_INTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// targetPort: 8080
// resolution: STATIC
// workloadSelector:
// labels:
// app: details-legacy
// ```
// {{ }}
//
// {{}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: details-svc
// spec:
// hosts:
// - details.bookinfo.com
// location: MESH_INTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// targetPort: 8080
// resolution: STATIC
// workloadSelector:
// labels:
// app: details-legacy
// ```
// {{ }}
// {{ }}
//
//
// The following example declares the same VM workload using
// its fully qualified DNS name. The service entry's resolution
// mode should be changed to DNS to indicate that the client-side
// sidecars should dynamically resolve the DNS name at runtime before
// forwarding the request.
//
// {{}}
// {{}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: WorkloadEntry
// metadata:
// name: details-svc
// spec:
// # use of the service account indicates that the workload has a
// # sidecar proxy bootstrapped with this service account. Pods with
// # sidecars will automatically communicate with the workload using
// # istio mutual TLS.
// serviceAccount: details-legacy
// address: vm1.vpc01.corp.net
// labels:
// app: details-legacy
// instance-id: vm1
// ```
// {{ }}
//
// {{}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: WorkloadEntry
// metadata:
// name: details-svc
// spec:
// # use of the service account indicates that the workload has a
// # sidecar proxy bootstrapped with this service account. Pods with
// # sidecars will automatically communicate with the workload using
// # istio mutual TLS.
// serviceAccount: details-legacy
// address: vm1.vpc01.corp.net
// labels:
// app: details-legacy
// instance-id: vm1
// ```
// {{ }}
// {{ }}
//
// and the associated service entry
//
// {{}}
// {{}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
// metadata:
// name: details-svc
// spec:
// hosts:
// - details.bookinfo.com
// location: MESH_INTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// targetPort: 8080
// resolution: DNS
// workloadSelector:
// labels:
// app: details-legacy
// ```
// {{ }}
//
// {{}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: details-svc
// spec:
// hosts:
// - details.bookinfo.com
// location: MESH_INTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// targetPort: 8080
// resolution: DNS
// workloadSelector:
// labels:
// app: details-legacy
// ```
// {{ }}
// {{ }}
//
package istio.networking.v1alpha3;
option go_package = "istio.io/api/networking/v1alpha3";
// WorkloadEntry enables specifying the properties of a single non-Kubernetes workload such a VM or a bare metal services that can be referred to by service entries.
//
//
//
//
message WorkloadEntry {
// Address associated with the network endpoint without the
// port. Domain names can be used if and only if the resolution is set
// to DNS, and must be fully-qualified without wildcards. Use the form
// unix:///absolute/path/to/socket for Unix domain socket endpoints.
string address = 1 [(google.api.field_behavior) = REQUIRED];
// Set of ports associated with the endpoint. If the port map is
// specified, it must be a map of servicePortName to this endpoint's
// port, such that traffic to the service port will be forwarded to
// the endpoint port that maps to the service's portName. If
// omitted, and the targetPort is specified as part of the service's
// port specification, traffic to the service port will be forwarded
// to one of the endpoints on the specified `targetPort`. If both
// the targetPort and endpoint's port map are not specified, traffic
// to a service port will be forwarded to one of the endpoints on
// the same port.
//
// **NOTE 1:** Do not use for `unix://` addresses.
//
// **NOTE 2:** endpoint port map takes precedence over targetPort.
map ports = 2;
// One or more labels associated with the endpoint.
map labels = 3;
// Network enables Istio to group endpoints resident in the same L3
// domain/network. All endpoints in the same network are assumed to be
// directly reachable from one another. When endpoints in different
// networks cannot reach each other directly, an Istio Gateway can be
// used to establish connectivity (usually using the
// `AUTO_PASSTHROUGH` mode in a Gateway Server). This is
// an advanced configuration used typically for spanning an Istio mesh
// over multiple clusters.
string network = 4;
// The locality associated with the endpoint. A locality corresponds
// to a failure domain (e.g., country/region/zone). Arbitrary failure
// domain hierarchies can be represented by separating each
// encapsulating failure domain by /. For example, the locality of an
// an endpoint in US, in US-East-1 region, within availability zone
// az-1, in data center rack r11 can be represented as
// us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
// endpoints within the same locality as the sidecar. If none of the
// endpoints in the locality are available, endpoints parent locality
// (but within the same network ID) will be chosen. For example, if
// there are two endpoints in same network (networkID "n1"), say e1
// with locality us/us-east-1/az-1/r11 and e2 with locality
// us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
// will prefer e1 from the same locality over e2 from a different
// locality. Endpoint e2 could be the IP associated with a gateway
// (that bridges networks n1 and n2), or the IP associated with a
// standard service endpoint.
string locality = 5;
// The load balancing weight associated with the endpoint. Endpoints
// with higher weights will receive proportionally higher traffic.
uint32 weight = 6;
// The service account associated with the workload if a sidecar
// is present in the workload. The service account must be present
// in the same namespace as the configuration ( WorkloadEntry or a
// ServiceEntry)
string service_account = 7;
};