1// Copyright 2018 Istio Authors
2//
3//   Licensed under the Apache License, Version 2.0 (the "License");
4//   you may not use this file except in compliance with the License.
5//   You may obtain a copy of the License at
6//
7//       http://www.apache.org/licenses/LICENSE-2.0
8//
9//   Unless required by applicable law or agreed to in writing, software
10//   distributed under the License is distributed on an "AS IS" BASIS,
11//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12//   See the License for the specific language governing permissions and
13//   limitations under the License.
14
15syntax = "proto3";
16
17package istio.mesh.v1alpha1;
18
19import "google/api/field_behavior.proto";
20
21option go_package="istio.io/api/mesh/v1alpha1";
22
23// Network provides information about the endpoints in a routable L3
24// network. A single routable L3 network can have one or more service
25// registries. Note that the network has no relation to the locality of the
26// endpoint. The endpoint locality will be obtained from the service
27// registry.
28message Network {
29  // NetworkEndpoints describes how the network associated with an endpoint
30  // should be inferred. An endpoint will be assigned to a network based on
31  // the following rules:
32  //
33  // 1. Implicitly: If the registry explicitly provides information about
34  // the network to which the endpoint belongs to. In some cases, its
35  // possible to indicate the network associated with the endpoint by
36  // adding the `ISTIO_META_NETWORK` environment variable to the sidecar.
37  //
38  // 2. Explicitly:
39  //
40  //    a. By matching the registry name with one of the "fromRegistry"
41  //    in the mesh config. A "from_registry" can only be assigned to a
42  //    single network.
43  //
44  //    b. By matching the IP against one of the CIDR ranges in a mesh
45  //    config network. The CIDR ranges must not overlap and be assigned to
46  //    a single network.
47  //
48  // (2) will override (1) if both are present.
49  message NetworkEndpoints {
50    oneof ne {
51    // A CIDR range for the set of endpoints in this network. The CIDR
52    // ranges for endpoints from different networks must not overlap.
53    string from_cidr = 1;
54
55    // Add all endpoints from the specified registry into this network.
56    // The names of the registries should correspond to the kubeconfig file name
57    // inside the secret that was used to configure the registry (Kubernetes
58    // multicluster) or supplied by MCP server.
59    string from_registry = 2;
60    }
61  }
62
63  // The list of endpoints in the network (obtained through the
64  // constituent service registries or from CIDR ranges). All endpoints in
65  // the network are directly accessible to one another.
66  repeated NetworkEndpoints endpoints = 2 [(google.api.field_behavior) = REQUIRED];
67
68  // The gateway associated with this network. Traffic from remote networks
69  // will arrive at the specified gateway:port. All incoming traffic must
70  // use mTLS.
71  message IstioNetworkGateway {
72    oneof gw {
73      // A fully qualified domain name of the gateway service.  Pilot will
74      // lookup the service from the service registries in the network and
75      // obtain the endpoint IPs of the gateway from the service
76      // registry. Note that while the service name is a fully qualified
77      // domain name, it need not be resolvable outside the orchestration
78      // platform for the registry. e.g., this could be
79      // istio-ingressgateway.istio-system.svc.cluster.local.
80      string registry_service_name = 1;
81
82      // IP address or externally resolvable DNS address associated with the gateway.
83      string address = 2;
84    }
85
86    // The port associated with the gateway.
87    uint32 port = 3 [(google.api.field_behavior) = REQUIRED];
88
89    // The locality associated with an explicitly specified gateway (i.e. ip)
90    string locality = 4;
91  }
92
93  // Set of gateways associated with the network.
94  repeated IstioNetworkGateway gateways = 3 [(google.api.field_behavior) = REQUIRED];
95}
96
97// MeshNetworks (config map) provides information about the set of networks
98// inside a mesh and how to route to endpoints in each network. For example
99//
100// MeshNetworks(file/config map):
101//
102// ```yaml
103// networks:
104//   network1:
105//   - endpoints:
106//     - fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
107//     - fromCidr: 192.168.100.0/22 #a VM network for example
108//     gateways:
109//     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
110//       port: 15443
111//       locality: us-east-1a
112//     - address: 192.168.100.1
113//       port: 15443
114//       locality: us-east-1a
115// ```
116//
117message MeshNetworks {
118  // The set of networks inside this mesh. Each network should
119  // have a unique name and information about how to infer the endpoints in
120  // the network as well as the gateways associated with the network.
121  map<string, Network> networks = 1 [(google.api.field_behavior) = REQUIRED];
122}
123