add a blog entry describing WorkloadEntries (#7321)

* add a blog entry describing WorkloadEntries

* address review comments both internal/external

* update svgs, and fix wordings

* update blog date

content/en/blog/2020/workload-entry/index.md

@@ -0,0 +1,100 @@
+---
+title: Introducing Workload Entries
+subtitle: Bridging Kubernetes and VMs
+description: Describing the new functionality of Workload Entries.
+publishdate: 2020-05-21
+attribution: "Cynthia Coan (Tetrate), Shriram Rajagopalan (Tetrate), Tia Louden (Tetrate), John Howard (Google), Sven Mawson (Google)"
+keywords: [vm,workloadentry,migration,'1.6',baremetal,serviceentry,discovery]
+---
+
+## Introducing Workload Entries: Bridging Kubernetes and VMs
+
+Historically, Istio has provided great experience to workloads that run on Kubernetes, but it has been less smooth for other types of workloads, such as Virtual Machines (VMs) and bare metal. The gaps included the inability to declaratively specify the properties of a sidecar on a VM, inability to properly respond to the lifecycle changes of the workload (e.g., booting to not ready to ready, or health checks), and cumbersome DNS workarounds as the workloads are migrated into Kubernetes to name a few.
+
+Istio 1.6 has introduced a few changes in how you manage non-Kubernetes workloads, driven by a desire to make it easier to gain Istio's benefits for use cases beyond containers, such as running traditional databases on a platform outside of Kubernetes, or adopting Istio's features for existing applications without rewriting them.
+
+### Background
+
+Prior to Istio 1.6, non-containerized workloads were configurable simply as an IP address in a `ServiceEntry`, which meant that they only existed as part of a service. Istio lacked a first-class abstraction for these non-containerized workloads, something similar to how Kubernetes treats Pods as the fundamental unit of compute - a named object that serves as the collection point for all things related to a workload - name, labels, security properties, lifecycle status events, etc. Enter `WorkloadEntry`.
+
+Consider the following `ServiceEntry` describing a service implemented by a few tens of VMs with IP addresses:
+
+{{< text yaml >}}
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: svc1
+spec:
+  hosts:
+  - svc1.internal.com
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  endpoints:
+  - address: 1.1.1.1
+  - address: 2.2.2.2
+  ....
+{{< /text >}}
+
+If you wanted to migrate this service into Kubernetes in an active-active manner - i.e. launch a bunch of Pods, send a portion of the traffic to the Pods over Istio mutual TLS (mTLS) and send the rest to the VMs without sidecars - how would you do it? You would have needed to use a combination of a Kubernetes service, a virtual service, and a destination rule to achieve the behavior. Now, let's say you decided to add sidecars to these VMs, one by one, such that you want only the traffic to the VMs with sidecars to use Istio mTLS. If any other Service Entry happens to include the same VM in its addresses, things start to get very complicated and error prone.
+
+The primary source of these complications is that Istio lacked a first-class definition of a non-containerized workload, whose properties can be described independently of the service(s) it is part of.
+
+{{< image
+    link="./workload-entry-first-example.svg"
+    alt="Service Entries Pointing to Workload Entries"
+    caption="The Internal of Service Entries Pointing to Workload Entries"
+    >}}
+
+### Workload Entry: A Non-Kubernetes Endpoint
+
+`WorkloadEntry` was created specifically to solve this problem. `WorkloadEntry` allows you to describe non-Pod endpoints that should still be part of the mesh, and treat them the same as a Pod. From here everything becomes easier, like enabling `MUTUAL_TLS` between workloads, whether they are containerized or not.
+
+To create a `[WorkloadEntry](/docs/reference/config/networking/workload-entry/)` and attach it to a `[ServiceEntry](/docs/reference/config/networking/service-entry/)` you can do something like this:
+
+{{< text yaml >}}
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: WorkloadEntry
+metadata:
+  name: vm1
+  namespace: ns1
+spec:
+  address: 1.1.1.1
+  labels:
+    app: foo
+    instance-id: vm-78ad2
+    class: vm
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: svc1
+  namespace: ns1
+spec:
+  hosts:
+  - svc1.internal.com
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  workloadSelector:
+    labels:
+      app: foo
+{{< /text >}}
+
+This creates a new `WorkloadEntry` with a set of labels and an address, and a `ServiceEntry` that uses a `WorkloadSelector` to select all endpoints with the desired labels, in this case including the `WorkloadEntry` that are created for the VM.
+
+{{< image width="75%"
+    link="./workload-entry-final.svg"
+    alt="Service Entries Pointing to Workload Entries"
+    caption="The Internal of Service Entries Pointing to Workload Entries"
+    >}}
+
+Notice that the `ServiceEntry` can reference both Pods and `WorkloadEntries`, using the same selector. VMs and Pods can now be treated identically by Istio, rather than being kept separate.
+
+If you were to migrate some of your workloads to Kubernetes, and you choose to keep a substantial number of your VMs, the `WorkloadSelector` can select both Pods and VMs, and Istio will automatically load balance between them. The 1.6 changes also mean that `WorkloadSelector` syncs configurations between the Pods and VMs and removes the manual requirement to target both infrastructures with duplicate policies like mTLS and authorization.
+The Istio 1.6 release provides a great starting point for what will be possible for the future of Istio. The ability to describe what exists outside of the mesh the same way you do with a Pod leads to added benefits like improved bootstrapping experience. However, these benefits are merely side effects. The core benefit is you can now have VMs, and Pods co-exist without any configuration needed to bridge the two together.

content/en/blog/2020/workload-entry/workload-entry-final.svg

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 22.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 640 480" style="enable-background:new 0 0 640 480;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#D8D8D8;stroke:#000000;stroke-miterlimit:10;}
+	.st1{fill:none;stroke:#000000;stroke-miterlimit:10;}
+	.st2{font-family:'ArialMT';}
+	.st3{font-size:18px;}
+	.st4{fill:#EFEFEF;stroke:#020000;stroke-miterlimit:10;}
+	.st5{font-size:24px;}
+	.st6{font-size:14px;}
+	.st7{fill:none;stroke:#020000;stroke-width:0.75;stroke-miterlimit:10;}
+	.st8{fill:#020000;}
+	.st9{fill:none;stroke:#020000;stroke-miterlimit:10;}
+</style>
+<path class="st0" d="M381.2,166.5H265.5c-6.6,0-12-5.4-12-12V38.8c0-6.6,5.4-12,12-12h115.7c6.6,0,12,5.4,12,12v115.7
+	C393.2,161.1,387.8,166.5,381.2,166.5z"/>
+<g>
+	<g>
+		<line class="st1" x1="47" y1="95.9" x2="247.5" y2="95.9"/>
+		<g>
+			<path d="M253.5,95.9c-2.8,1.1-6.4,2.9-8.5,4.8l1.7-4.8l-1.7-4.8C247.2,93,250.7,94.8,253.5,95.9z"/>
+		</g>
+	</g>
+</g>
+<text transform="matrix(1 0 0 1 16.7588 86.617)" class="st2 st3">Mesh traffic</text>
+<text transform="matrix(1 0 0 1 269.2493 101.2239)" class="st2 st3">Service Entry</text>
+<path class="st4" d="M190,363H86.8c-6.6,0-12-5.4-12-12v-49.5c0-6.6,5.4-12,12-12H190c6.6,0,12,5.4,12,12V351
+	C202,357.6,196.6,363,190,363z"/>
+<path class="st4" d="M201.9,375.2H98.7c-6.6,0-12-5.4-12-12v-49.5c0-6.6,5.4-12,12-12h103.2c6.6,0,12,5.4,12,12v49.5
+	C213.9,369.8,208.5,375.2,201.9,375.2z"/>
+<path class="st4" d="M213.8,384.9H110.6c-6.6,0-12-5.4-12-12v-49.5c0-6.6,5.4-12,12-12h103.2c6.6,0,12,5.4,12,12v49.5
+	C225.8,379.5,220.4,384.9,213.8,384.9z"/>
+<text transform="matrix(1 0 0 1 136.0748 352.3823)" class="st2 st5">Pods</text>
+<path class="st4" d="M528.2,364.2H425c-6.6,0-12-5.4-12-12v-49.5c0-6.6,5.4-12,12-12h103.2c6.6,0,12,5.4,12,12v49.5
+	C540.2,358.8,534.8,364.2,528.2,364.2z"/>
+<path class="st4" d="M540.1,376.4H436.9c-6.6,0-12-5.4-12-12v-49.5c0-6.6,5.4-12,12-12h103.2c6.6,0,12,5.4,12,12v49.5
+	C552.1,371,546.7,376.4,540.1,376.4z"/>
+<path class="st4" d="M552,386.1H448.8c-6.6,0-12-5.4-12-12v-49.5c0-6.6,5.4-12,12-12H552c6.6,0,12,5.4,12,12v49.5
+	C564,380.7,558.6,386.1,552,386.1z"/>
+<text transform="matrix(1 0 0 1 476.5728 352.382)" class="st2 st5">VMs</text>
+<text transform="matrix(1 0 0 1 74.7761 413.4272)"><tspan x="0" y="0" class="st2 st6">Kubernetes Pods</tspan><tspan x="0" y="16.8" class="st2 st6">labels:</tspan><tspan x="0" y="33.6" class="st2 st6">  app: foo</tspan><tspan x="0" y="50.4" class="st2 st6">  class: pod</tspan></text>
+<text transform="matrix(1 0 0 1 412.9753 413.4275)"><tspan x="0" y="0" class="st2 st6">Istio WorkloadEntries</tspan><tspan x="0" y="16.8" class="st2 st6">labels:</tspan><tspan x="0" y="33.6" class="st2 st6">  app: foo</tspan><tspan x="0" y="50.4" class="st2 st6">  class: vm</tspan></text>
+<text transform="matrix(1 0 0 1 418.3678 86.6168)"><tspan x="0" y="0" class="st2 st6">ServiceEntry</tspan><tspan x="0" y="16.8" class="st2 st6">selector:</tspan><tspan x="0" y="33.6" class="st2 st6">  app: foo</tspan></text>
+<g>
+	<g>
+		<line class="st7" x1="274.2" y1="166.5" x2="156.2" y2="298.3"/>
+		<g>
+			<path class="st8" d="M153.2,301.7c0.8-2.1,1.6-5,1.6-7.2l1.8,3.3l3.5,1.4C157.9,299.6,155.2,300.6,153.2,301.7z"/>
+		</g>
+	</g>
+</g>
+<g>
+	<g>
+		<line class="st9" x1="368.1" y1="166.5" x2="484.5" y2="298.4"/>
+		<g>
+			<path class="st8" d="M488.5,302.9c-2.7-1.4-6.3-2.9-9.2-3.3l4.7-1.9l2.4-4.4C486.4,296.2,487.4,300.1,488.5,302.9z"/>
+		</g>
+	</g>
+</g>
+</svg>

content/en/blog/2020/workload-entry/workload-entry-first-example.svg

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 22.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 720 540" style="enable-background:new 0 0 720 540;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#D9D9D9;stroke:#000000;stroke-miterlimit:10;}
+	.st1{font-family:'ArialMT';}
+	.st2{font-size:24px;}
+	.st3{fill:#D8D8D8;stroke:#020000;stroke-miterlimit:10;}
+	.st4{fill:none;stroke:#020000;stroke-miterlimit:10;}
+	.st5{fill:#020000;}
+	.st6{fill:#D8D8D8;}
+	.st7{fill:none;stroke:#000000;stroke-miterlimit:10;stroke-dasharray:11.7966,1.9661;}
+	.st8{font-size:18px;}
+	.st9{font-size:14px;}
+</style>
+<path class="st0" d="M159.8,153.6h-127c-6.6,0-12-5.4-12-12V75.2c0-6.6,5.4-12,12-12h127c6.6,0,12,5.4,12,12v66.4
+	C171.8,148.2,166.4,153.6,159.8,153.6z"/>
+<text transform="matrix(1 0 0 1 46.4789 98.179)" class="st1 st2">K8S </text>
+<text transform="matrix(1 0 0 1 46.4789 126.9791)" class="st1 st2">service</text>
+<path class="st3" d="M153.2,402.7H50c-6.6,0-12-5.4-12-12v-49.5c0-6.6,5.4-12,12-12h103.2c6.6,0,12,5.4,12,12v49.5
+	C165.2,397.3,159.8,402.7,153.2,402.7z"/>
+<path class="st3" d="M165,414.9H61.9c-6.6,0-12-5.4-12-12v-49.5c0-6.6,5.4-12,12-12h103.2c6.6,0,12,5.4,12,12v49.5
+	C177,409.5,171.6,414.9,165,414.9z"/>
+<path class="st3" d="M177,424.6H73.8c-6.6,0-12-5.4-12-12v-49.5c0-6.6,5.4-12,12-12H177c6.6,0,12,5.4,12,12v49.5
+	C189,419.2,183.6,424.6,177,424.6z"/>
+<text transform="matrix(1 0 0 1 101.5514 390.8683)" class="st1 st2">Pod</text>
+<path class="st3" d="M565.3,359.6H303.5c-6.6,0-12-5.4-12-12V85.8c0-6.6,5.4-12,12-12h261.8c6.6,0,12,5.4,12,12v261.8
+	C577.3,354.2,571.9,359.6,565.3,359.6z"/>
+<g>
+	<g>
+		<line class="st4" x1="101.4" y1="323.2" x2="96.3" y2="153.6"/>
+		<g>
+			<path class="st5" d="M101.6,329.2c1-2.9,2.7-6.4,4.5-8.7l-4.7,1.9l-4.8-1.6C98.5,322.9,100.4,326.4,101.6,329.2z"/>
+		</g>
+	</g>
+</g>
+<text transform="matrix(1 0 0 1 308.7642 108.4531)" class="st1 st2">Istio Service Entry</text>
+<text transform="matrix(1 0 0 1 308.7642 216.7336)" class="st1 st2">Endpoints:</text>
+<g>
+	<path class="st6" d="M428.9,285.9H320.8c-6.6,0-12-5.4-12-12v-26.2c0-6.6,5.4-12,12-12H429c6.6,0,12,5.4,12,12v26.2
+		C440.9,280.5,435.5,285.9,428.9,285.9z"/>
+	<path class="st7" d="M428.9,285.9H320.8c-6.6,0-12-5.4-12-12v-26.2c0-6.6,5.4-12,12-12H429c6.6,0,12,5.4,12,12v26.2
+		C440.9,280.5,435.5,285.9,428.9,285.9z"/>
+</g>
+<g>
+	<path class="st6" d="M428.9,347.5H320.8c-6.6,0-12-5.4-12-12v-26.2c0-6.6,5.4-12,12-12H429c6.6,0,12,5.4,12,12v26.2
+		C440.9,342.1,435.5,347.5,428.9,347.5z"/>
+	<path class="st7" d="M428.9,347.5H320.8c-6.6,0-12-5.4-12-12v-26.2c0-6.6,5.4-12,12-12H429c6.6,0,12,5.4,12,12v26.2
+		C440.9,342.1,435.5,347.5,428.9,347.5z"/>
+</g>
+<text transform="matrix(1 0 0 1 113.4329 228.0373)" class="st1 st8">selects</text>
+<text transform="matrix(1 0 0 1 20.8083 443.19)" class="st1 st9">A Kubernetes Service and Pods </text>
+<text transform="matrix(1 0 0 1 20.8083 459.9901)" class="st1 st9">two seperate objects with distinct </text>
+<text transform="matrix(1 0 0 1 20.8083 476.7901)" class="st1 st9">lifecycles.</text>
+<text transform="matrix(1 0 0 1 275.0902 384.2793)" class="st1 st9">Before Workload Entry, a single Istio Service Entry </text>
+<text transform="matrix(1 0 0 1 275.0902 401.0793)" class="st1 st9">object combined the lifecycle of both the service and </text>
+<text transform="matrix(1 0 0 1 275.0902 417.8792)" class="st1 st9">the workloads implementing it, without giving a first </text>
+<text transform="matrix(1 0 0 1 275.0902 434.6793)" class="st1 st9">class representation for the workloads themselves.</text>
+<text transform="matrix(1 0 0 1 349.7465 266.9695)" class="st1 st9">VM 1 IP</text>
+<text transform="matrix(1 0 0 1 349.7465 329.2209)" class="st1 st9">VM2 IP</text>
+</svg>