virtual_mesh.proto

Package : networking.zephyr.solo.io

Top

virtual_mesh.proto

Table of Contents

VirtualMeshSpec

Field Type Label Description
displayName string User-provided display name for the virtual mesh.
meshes []core.zephyr.solo.io.ResourceRef repeated The meshes contained in this virtual mesh.
certificateAuthority VirtualMeshSpec.CertificateAuthority
federation VirtualMeshSpec.Federation
shared VirtualMeshSpec.SharedTrust
limited VirtualMeshSpec.LimitedTrust
enforceAccessControl VirtualMeshSpec.EnforcementPolicy

VirtualMeshSpec.CertificateAuthority

Field Type Label Description
builtin VirtualMeshSpec.CertificateAuthority.Builtin Use auto-generated root certificate.
provided VirtualMeshSpec.CertificateAuthority.Provided Use user-provided root certificate.

VirtualMeshSpec.CertificateAuthority.Builtin

Configuration for auto-generated root certificate unique to the VirtualMesh Uses the X.509 format, RFC5280

Field Type Label Description
ttlDays uint32 Number of days before root cert expires. Defaults to 365.
rsaKeySizeBytes uint32 Size in bytes of the root cert's private key. Defaults to 4096
orgName string Root cert organization name. Defaults to “service-mesh-hub”

VirtualMeshSpec.CertificateAuthority.Provided

Configuration for user-provided root certificate.

Field Type Label Description
certificate core.zephyr.solo.io.ResourceRef Reference to a Secret object containing the root certificate.

VirtualMeshSpec.Federation

Field Type Label Description
mode VirtualMeshSpec.Federation.Mode

VirtualMeshSpec.LimitedTrust

Limited trust is a virtual mesh trust model which does not require all meshes sharing the same root certificate or identity model. But rather, the limited trust creates trust between meshes running on different clusters by connecting their ingress/egress gateways with a common cert/identity. In this model all requests between different have the following request path when communicating between clusters
cluster 1 MTLS shared MTLS cluster 2 MTLS client/workload <———–> egress gateway <———-> ingress gateway <————–> server
This approach has the downside of not maintaining identity from client to server, but allows for ad-hoc addition of additional clusters into a virtual mesh.

VirtualMeshSpec.SharedTrust

Shared trust is a virtual mesh trust model requiring a shared root certificate, as well as shared identity between all entities which wish to communicate within the virtual mesh.
The best current example of this would be the replicated control planes example from Istio: https://preliminary.istio.io/docs/setup/install/multicluster/gateways/

VirtualMeshStatus

Field Type Label Description
federationStatus core.zephyr.solo.io.Status Status of the process writing federation decision metadata onto MeshServices.
certificateStatus core.zephyr.solo.io.Status Status of the process signing CSRs.
configStatus core.zephyr.solo.io.Status Overall validation status of this VirtualMesh.
accessControlEnforcementStatus core.zephyr.solo.io.Status Status of ensuring that access control is enforced within this VirtualMesh.

VirtualMeshSpec.EnforcementPolicy

If ENABLED, by default disallow traffic to all Services in the VirtualMesh unless explicitly allowed through AccessControlPolicies. If DISABLED, by default allow traffic to all Services in the VirtualMesh. If MESH_DEFAULT, the default value depends on the type service mesh: Istio: false Appmesh: true

Name Number Description
MESH_DEFAULT 0
ENABLED 1
DISABLED 2

VirtualMeshSpec.Federation.Mode

Name Number Description
PERMISSIVE 0 All services in a VirtualMesh will be federated to all workloads in that Virtual Mesh.