// Copyright 2018 Istio Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package istio.mesh.v1alpha1; import "google/api/field_behavior.proto"; option go_package="istio.io/api/mesh/v1alpha1"; // Network provides information about the endpoints in a routable L3 // network. A single routable L3 network can have one or more service // registries. Note that the network has no relation to the locality of the // endpoint. The endpoint locality will be obtained from the service // registry. message Network { // NetworkEndpoints describes how the network associated with an endpoint // should be inferred. An endpoint will be assigned to a network based on // the following rules: // // 1. Implicitly: If the registry explicitly provides information about // the network to which the endpoint belongs to. In some cases, its // possible to indicate the network associated with the endpoint by // adding the `ISTIO_META_NETWORK` environment variable to the sidecar. // // 2. Explicitly: // // a. By matching the registry name with one of the "fromRegistry" // in the mesh config. A "fromRegistry" can only be assigned to a // single network. // // b. By matching the IP against one of the CIDR ranges in a mesh // config network. The CIDR ranges must not overlap and be assigned to // a single network. // // (2) will override (1) if both are present. message NetworkEndpoints { oneof ne { // A CIDR range for the set of endpoints in this network. The CIDR // ranges for endpoints from different networks must not overlap. string from_cidr = 1; // Add all endpoints from the specified registry into this network. // The names of the registries should correspond to the kubeconfig file name // inside the secret that was used to configure the registry (Kubernetes // multicluster) or supplied by MCP server. string from_registry = 2; } } // The list of endpoints in the network (obtained through the // constituent service registries or from CIDR ranges). All endpoints in // the network are directly accessible to one another. repeated NetworkEndpoints endpoints = 2 [(google.api.field_behavior) = REQUIRED]; // The gateway associated with this network. Traffic from remote networks // will arrive at the specified gateway:port. All incoming traffic must // use mTLS. message IstioNetworkGateway { oneof gw { // A fully qualified domain name of the gateway service. Pilot will // lookup the service from the service registries in the network and // obtain the endpoint IPs of the gateway from the service // registry. Note that while the service name is a fully qualified // domain name, it need not be resolvable outside the orchestration // platform for the registry. e.g., this could be // istio-ingressgateway.istio-system.svc.cluster.local. string registry_service_name = 1; // IP address or externally resolvable DNS address associated with the gateway. string address = 2; } // The port associated with the gateway. uint32 port = 3 [(google.api.field_behavior) = REQUIRED]; // The locality associated with an explicitly specified gateway (i.e. ip) string locality = 4; } // Set of gateways associated with the network. repeated IstioNetworkGateway gateways = 3 [(google.api.field_behavior) = REQUIRED]; } // MeshNetworks (config map) provides information about the set of networks // inside a mesh and how to route to endpoints in each network. For example // // MeshNetworks(file/config map): // // ```yaml // networks: // network1: // endpoints: // - fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret // - fromCidr: 192.168.100.0/22 #a VM network for example // gateways: // - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local // port: 15443 // locality: us-east-1a // - address: 192.168.100.1 // port: 15443 // locality: us-east-1a // ``` // message MeshNetworks { // The set of networks inside this mesh. Each network should // have a unique name and information about how to infer the endpoints in // the network as well as the gateways associated with the network. map<string, Network> networks = 1 [(google.api.field_behavior) = REQUIRED]; }