mirror of https://github.com/istio/api.git
Define ServiceScopeConfig in ServiceSettings (#3464)
* Define ServiceScopeConfig in ServiceSettings Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add release note Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * remove suffix Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * add back missing scope from example Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Remove nested list Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * make gen Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Update example Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * make gen Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Update gen Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Clarify example Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Clarify behavior of servicescopeconfig Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Respond to PR feedback about docs Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Move ServiceScopeConfigs to its own message. Define relationship between ServiceSettings and ServiceScopeConfigs. Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Clarify declaritive intent Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Clarify API intent for mesh admin Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix example Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
This commit is contained in:
Jackie Maertens (Elliott)
GitHub
parent
a630cf092d
commit
6c028fec98
File diff suppressed because it is too large
Load Diff
|
|
@ -413,6 +413,14 @@ message MeshConfig {
|
|||
// - "*.foo.svc.cluster.local"
|
||||
// - "bar.baz.svc.cluster.local"
|
||||
// ```
|
||||
//
|
||||
// When in ambient mode, if ServiceSettings are defined they will be considered in addition to the
|
||||
// ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a
|
||||
// global service scope selector, the service will be considered cluster local. If a service is
|
||||
// considered global by ServiceSettings and does not match a global service scope selector
|
||||
// the serive will be considered local. Local scope takes precedence over global scope. Since
|
||||
// ServiceScopeConfigs is local by default, all services are considered local unless it is considered
|
||||
// global by ServiceSettings AND ServiceScopeConfigs.
|
||||
message ServiceSettings {
|
||||
// Settings for the selected services.
|
||||
message Settings {
|
||||
|
|
@ -450,6 +458,54 @@ message MeshConfig {
|
|||
// Settings to be applied to select services.
|
||||
repeated ServiceSettings service_settings = 50;
|
||||
|
||||
// Configuration for ambient mode multicluster service scope. This setting allows mesh administrators
|
||||
// to define the criteria by which the cluster's control plane determines which services in other
|
||||
// clusters in the mesh are treated as global (accessible across multiple clusters) versus local
|
||||
// (restricted to a single cluster). The configuration can be applied to services based on namespace
|
||||
// and/or other matching criteria. This is particularly useful in multicluster service mesh deployments
|
||||
// to control service visibility and access across clusters. This API is not intended to enforce
|
||||
// security policies. Resources like DestinationRules should be used to enforce authorization policies.
|
||||
// If a service matches a global service scope selector, the service's endpoints will be globally
|
||||
// exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster
|
||||
// services.
|
||||
//
|
||||
// For example, the following configures the scope of all services with the "istio.io/global" label
|
||||
// in matching namespaces to be available globally:
|
||||
//
|
||||
// ```yaml
|
||||
// serviceScopeConfigs:
|
||||
// - namespacesSelector:
|
||||
// matchExpressions:
|
||||
// - key: istio.io/global
|
||||
// operator: In
|
||||
// values: [true]
|
||||
// servicesSelector:
|
||||
// matchExpressions:
|
||||
// - key: istio.io/global
|
||||
// operator: Exists
|
||||
// scope: GLOBAL
|
||||
// ```
|
||||
message ServiceScopeConfigs {
|
||||
// The scope of the matching service. Used to determine if the service is available locally
|
||||
// (cluster local) or globally (mesh-wide).
|
||||
enum Scope {
|
||||
LOCAL = 0;
|
||||
GLOBAL = 1;
|
||||
}
|
||||
|
||||
// Match expression for namespaces.
|
||||
LabelSelector namespace_selector = 1;
|
||||
|
||||
// Match expression for serivces.
|
||||
LabelSelector services_selector = 2;
|
||||
|
||||
// Specifics the available scope for matching services.
|
||||
Scope scope = 3;
|
||||
}
|
||||
|
||||
// Scope to be applied to select services.
|
||||
repeated ServiceScopeConfigs service_scope_configs = 67;
|
||||
|
||||
// If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
|
||||
// and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod
|
||||
// and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
|
||||
|
|
|
|||
|
|
@ -72,6 +72,17 @@ func (this *MeshConfig_ServiceSettings_Settings) UnmarshalJSON(b []byte) error {
|
|||
return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
|
||||
}
|
||||
|
||||
// MarshalJSON is a custom marshaler for MeshConfig_ServiceScopeConfigs
|
||||
func (this *MeshConfig_ServiceScopeConfigs) MarshalJSON() ([]byte, error) {
|
||||
str, err := ConfigMarshaler.MarshalToString(this)
|
||||
return []byte(str), err
|
||||
}
|
||||
|
||||
// UnmarshalJSON is a custom unmarshaler for MeshConfig_ServiceScopeConfigs
|
||||
func (this *MeshConfig_ServiceScopeConfigs) UnmarshalJSON(b []byte) error {
|
||||
return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
|
||||
}
|
||||
|
||||
// MarshalJSON is a custom marshaler for MeshConfig_CA
|
||||
func (this *MeshConfig_CA) MarshalJSON() ([]byte, error) {
|
||||
str, err := ConfigMarshaler.MarshalToString(this)
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
|
|||
layout: protoc-gen-docs
|
||||
generator: protoc-gen-docs
|
||||
weight: 20
|
||||
number_of_entries: 78
|
||||
number_of_entries: 80
|
||||
---
|
||||
<p>Configuration affecting the service mesh as a whole.</p>
|
||||
|
||||
|
|
@ -433,6 +433,15 @@ For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This c
|
|||
<li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li>
|
||||
</ul>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="MeshConfig-service_scope_configs">
|
||||
<td><div class="field"><div class="name"><code><a href="#MeshConfig-service_scope_configs">serviceScopeConfigs</a></code></div>
|
||||
<div class="type"><a href="#MeshConfig-ServiceScopeConfigs">ServiceScopeConfigs[]</a></div>
|
||||
</div></td>
|
||||
<td>
|
||||
<p>Scope to be applied to select services.</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="MeshConfig-enable_prometheus_merge">
|
||||
|
|
@ -732,6 +741,97 @@ If only trustDomains is set, this trustAnchor is used for these trustDomains and
|
|||
If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
|
||||
If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</section>
|
||||
<h3 id="MeshConfig-ServiceScopeConfigs">ServiceScopeConfigs</h3>
|
||||
<section>
|
||||
<p>Configuration for ambient mode multicluster service scope. This setting allows mesh administrators
|
||||
to define the criteria by which the cluster’s control plane determines which services in other
|
||||
clusters in the mesh are treated as global (accessible across multiple clusters) versus local
|
||||
(restricted to a single cluster). The configuration can be applied to services based on namespace
|
||||
and/or other matching criteria. This is particularly useful in multicluster service mesh deployments
|
||||
to control service visibility and access across clusters. This API is not intended to enforce
|
||||
security policies. Resources like DestinationRules should be used to enforce authorization policies.
|
||||
If a service matches a global service scope selector, the service’s endpoints will be globally
|
||||
exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster
|
||||
services.</p>
|
||||
<p>For example, the following configures the scope of all services with the “istio.io/global” label
|
||||
in matching namespaces to be available globally:</p>
|
||||
<pre><code class="language-yaml">serviceScopeConfigs:
|
||||
- namespacesSelector:
|
||||
matchExpressions:
|
||||
- key: istio.io/global
|
||||
operator: In
|
||||
values: [true]
|
||||
servicesSelector:
|
||||
matchExpressions:
|
||||
- key: istio.io/global
|
||||
operator: Exists
|
||||
scope: GLOBAL
|
||||
</code></pre>
|
||||
|
||||
<table class="message-fields">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Field</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr id="MeshConfig-ServiceScopeConfigs-namespace_selector">
|
||||
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ServiceScopeConfigs-namespace_selector">namespaceSelector</a></code></div>
|
||||
<div class="type"><a href="#LabelSelector">LabelSelector</a></div>
|
||||
</div></td>
|
||||
<td>
|
||||
<p>Match expression for namespaces.</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="MeshConfig-ServiceScopeConfigs-services_selector">
|
||||
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ServiceScopeConfigs-services_selector">servicesSelector</a></code></div>
|
||||
<div class="type"><a href="#LabelSelector">LabelSelector</a></div>
|
||||
</div></td>
|
||||
<td>
|
||||
<p>Match expression for serivces.</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="MeshConfig-ServiceScopeConfigs-scope">
|
||||
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ServiceScopeConfigs-scope">scope</a></code></div>
|
||||
<div class="type"><a href="#MeshConfig-ServiceScopeConfigs-Scope">Scope</a></div>
|
||||
</div></td>
|
||||
<td>
|
||||
<p>Specifics the available scope for matching services.</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</section>
|
||||
<h4 id="MeshConfig-ServiceScopeConfigs-Scope">Scope</h4>
|
||||
<section>
|
||||
<p>The scope of the matching service. Used to determine if the service is available locally
|
||||
(cluster local) or globally (mesh-wide).</p>
|
||||
|
||||
<table class="enum-values">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr id="MeshConfig-ServiceScopeConfigs-Scope-LOCAL">
|
||||
<td><code><a href="#MeshConfig-ServiceScopeConfigs-Scope-LOCAL">LOCAL</a></code></td>
|
||||
<td>
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="MeshConfig-ServiceScopeConfigs-Scope-GLOBAL">
|
||||
<td><code><a href="#MeshConfig-ServiceScopeConfigs-Scope-GLOBAL">GLOBAL</a></code></td>
|
||||
<td>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: release-notes/v2
|
||||
kind: feature
|
||||
area: traffic-management
|
||||
issue:
|
||||
- https://github.com/istio/istio/issues/54245
|
||||
|
||||
releaseNotes:
|
||||
- |
|
||||
**Added** API to configure service scopes in the MeshConfig.
|
||||
Loading…
Reference in New Issue