Proto: external_workload.proto

Package: networking.gloo.solo.io

Create an in-mesh identity for workloads that are external to a Kubernetes workload cluster to enable routing to and from those workloads in Gloo Mesh. For example, after you onboard a VM to Gloo Mesh, you might create an ExternalWorkload to represent a set of workloads that run on the virtual machine or bare metal instance. When an ExternalWorkload is defined for a given workspace, it can be referenced in:

  • VirtualDestination resources, as an upstream destination
  • AccessPolicy resources, as an allowed client
  • AccessPolicy resources targeting external workloads that match workload selectors

Example

This example provisions an identity for services that listen on port 5000 and that run either on a GCP VM that uses the specified cloud IAM service account, or an AWS VM that is in the specified security group ID. The identity is created in the vm-config namespace of the workload-cluster.

  apiVersion: networking.gloo.solo.io/v2alpha1
kind: ExternalWorkload
metadata:
  labels:
    app: http-server
    version: v1
  name: http-server
  namespace: vm-config
spec:
  connectedClusters:
    workload-cluster: vm-config
  identitySelector:
    gcp:
      - serviceAccount: <GCP_VM_service_account>
    aws:
      - securityGroupId: <AWS_security_group_id>
  ports:
    - name: http
      number: 5000
  

ExternalWorkloadReport

The resources that the applied resource selects.

FieldDescription
workspaces(repeated ExternalWorkloadReport.WorkspacesEntry)

appliedDestinationPolicies(repeated ExternalWorkloadReport.AppliedDestinationPoliciesEntry)

A map of policy GVK to policy references for all the policies that are applied on this resource.
ownerWorkspace(string)

The name of the workspace that owns the ExternalWorkload.

ExternalWorkloadReport.AppliedDestinationPoliciesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.AppliedDestinationPortPolicies)

ExternalWorkloadReport.WorkspacesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.Report)

ExternalWorkloadSpec

Specifications for the external workload.

FieldDescription
ports(repeated ExternalWorkloadSpec.Port)

Ports that the external workloads listen on.
identitySelector(ExternalWorkloadSpec.IdentitySelector)

The conditions under which an external workload is selected. For example, you might select a Google Cloud Platform (GCP) VM by specifying gcp.serviceAccount: <VM_service_account>. This field is optional when you use a join token to attest the external workload. If you specify multiple identity selectors, an external workload is selected when at least one of the selectors matches.
connectedClusters(repeated ExternalWorkloadSpec.ConnectedClustersEntry)

A map of cluster names to the namespace within the cluster that the external workload is registered in. To scope the external workload to multiple registered clusters, multiple cluster-namespace pairs can be specified. However, within a cluster, only a single namespace can be used to register the external workload.
readinessProbe(ExternalWorkloadSpec.Probe)

Optional: Readiness probe for the external workload.

ExternalWorkloadSpec.ConnectedClustersEntry

FieldDescription
key(string)

value(string)

ExternalWorkloadSpec.IdentitySelector

The conditions under which an external workload is selected. For example, you might select a Google Cloud Platform (GCP) VM by specifying gcp.serviceAccount: <VM_service_account>. This field is optional when you use a join token to attest the external workload. If you specify multiple selectors, an external workload is selected when at least one of the selectors matches.

FieldDescription
aws(repeated ExternalWorkloadSpec.IdentitySelector.AWS)

Optional: Selector for external workloads running in AWS.
gcp(repeated ExternalWorkloadSpec.IdentitySelector.GCP)

Optional: Selector for external workloads running in GCP.
azure(repeated ExternalWorkloadSpec.IdentitySelector.Azure)

Optional: Selector for external workloads running in Azure.
joinTokenSpiffeId(repeated string)

Optional: Selector for external workloads using a join token. Specifies the SPIFFE ID associated with the join token.

ExternalWorkloadSpec.IdentitySelector.AWS

Selector for external workloads that run in AWS. If multiple fields are specified, an external workload is selected only when all match.

FieldDescription
iamRole(string)

Optional: The IAM role within the instance profile of the external workload.
securityGroupName(string)

Optional: The name of the security group associated with the external workload.
securityGroupId(string)

Optional: The ID of the security group associated with the external workload.
imageId(string)

Optional: The ID of the AMI used to launch the external workload.
instanceId(string)

Optional: The ID of the external workload instance.
zone(string)

Optional: The availability zone in which the external workload is running.
region(string)

Optional: The region where the external workload is running.
tag(ExternalWorkloadSpec.IdentitySelector.AWS.Tag)

The tag applied as a key to the external workload.

ExternalWorkloadSpec.IdentitySelector.AWS.Tag

The tag applied as a key-value pair to the external workload.

FieldDescription
key(string)

The key of the tag.
value(string)

The value of the tag.

ExternalWorkloadSpec.IdentitySelector.Azure

Selector for external workloads that run in Azure. If multiple fields are specified, an external workload is selected only when all match.

FieldDescription
subscriptionId(string)

Optional: The subscription ID of the external workload.
securityGroup(string)

Optional: The name of the security group associated with the external workload. If specified, the resourceGroup field must also be specified.
virtualNetwork(string)

Optional: The name of the virtual network the external workload belongs to. If specified, the resourceGroup field must also be specified.
subnet(string)

Optional: The name of the subnet in the virtual network the external workload belongs to. If specified, the resourceGroup and virtualNetwork fields must also be specified.
name(string)

Optional: The name of the external workload instance. If specified, the resourceGroup field must also be specified.
resourceGroup(string)

Optional: The resource group the external workload belongs to. The resource group does not act as a selector, but is used in conjunction with the other fields. Must be specified if the securityGroup, virtualNetwork, subnet, or name fields are specified.

ExternalWorkloadSpec.IdentitySelector.GCP

Selector for external workloads that run in GCP. If multiple fields are specified, an external workload is selected only when all match.

FieldDescription
serviceAccount(string)

Optional: The service account associated with the external workload.
name(string)

Optional: Name of the external workload instance.
tag(string)

Optional: The tag applied as a key to the external workload.
projectId(string)

Optional: The ID of the project containing the external workload.
zone(string)

Optional: The availability zone in which the external workload is running.
label(ExternalWorkloadSpec.IdentitySelector.GCP.Label)

Optional: The label applied as a key-value pair to the external workload. The value for the key is optional.

ExternalWorkloadSpec.IdentitySelector.GCP.Label

The label applied as a key-value pair to the external workload. The value for the key is optional.

FieldDescription
key(string)

The key of the label.
value(string)

The value of the label.

ExternalWorkloadSpec.Port

The port on the backing external workload.

FieldDescription
name(string)

The logical name assigned to the port.
protocol(string)

The protocol of the port. Supported protocols: HTTP, HTTPS, GRPC, HTTP2, MONGO, TCP, TLS
number(uint32)

The port number. Must be in the range 1 - 65535.

ExternalWorkloadSpec.Probe

A health check to perform against an external workload to determine whether it is ready to receive traffic.

FieldDescription
initialDelaySeconds(google.protobuf.UInt32Value)

Optional: Number of seconds after the external workload startup before the probes are initiated. Defaults to 0 seconds.
timeoutSeconds(google.protobuf.UInt32Value)

Optional: Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 second.
periodSeconds(google.protobuf.UInt32Value)

How often (in seconds) to perform the probe. Defaults to 10 seconds. Minimum value is 1 second.
successThreshold(google.protobuf.UInt32Value)

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1.
failureThreshold(google.protobuf.UInt32Value)

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3.
httpGet(ExternalWorkloadSpec.Probe.HTTPGetConfig)

Configuration for an HTTP probe request.
tcpSocket(ExternalWorkloadSpec.Probe.TCPSocketConfig)

Configuration for a TCP socket probe.
exec(ExternalWorkloadSpec.Probe.ExecConfig)

Configuration for an exec command probe.

ExternalWorkloadSpec.Probe.ExecConfig

Configuration for an exec command probe.

FieldDescription
command(repeated string)

Command to run. An exit status of zero (0) is considered healthy, and a non-zero status is considered unhealthy.

ExternalWorkloadSpec.Probe.HTTPGetConfig

Configuration for an HTTP GET probe request.

FieldDescription
port(uint32)

Number of the port to access. Must be in the range 1 - 65535.
path(string)

Optional: Path to access on the HTTP server.
scheme(ExternalWorkloadSpec.Probe.HTTPGetConfig.Scheme)

Optional: Scheme to use for connecting to the host. Defaults to HTTP.
httpHeaders(repeated ExternalWorkloadSpec.Probe.HTTPHeader)

Optional: Custom headers to set in the request. HTTP allows repeated headers.

ExternalWorkloadSpec.Probe.HTTPHeader

A custom header to use in HTTP probes.

FieldDescription
name(string)

The header field name.
value(string)

The header field value.

ExternalWorkloadSpec.Probe.TCPSocketConfig

Configuration for a TCP socket probe.

FieldDescription
host(string)

Optional: Host to connect to. Defaults to localhost.
port(uint32)

Number of the port to access. Must be in the range 1 - 65535.

ExternalWorkloadStatus

The status of the ExternalWorkload after it is applied to your Gloo environment.

FieldDescription
common(common.gloo.solo.io.Status)

The state and workspace conditions of the applied resource.
numAppliedPolicies(repeated ExternalWorkloadStatus.NumAppliedPoliciesEntry)

A map of policy GVK to the number of policies that are applied on this resource, sorted by GVK.
ownedByWorkspace(string)

Name of the workspace that owns this ExternalWorkload

ExternalWorkloadStatus.NumAppliedPoliciesEntry

FieldDescription
key(string)

value(uint32)

ExternalWorkloadSpec.Probe.HTTPGetConfig.Scheme

Scheme to use for connecting to the host.

NameNumberDescription
HTTP0Use the http:// scheme for the connection.
HTTPS1Use the https:// scheme for the connection.