@@ -195,9 +195,6 @@ message MeshConfig {
195195 // can be configured for a single control plane.
196196 repeated ConfigSource config_sources = 22 ;
197197
198- // Locality based load balancing distribution or failover settings.
199- LocalityLoadBalancerSetting locality_lb_setting = 31 ;
200-
201198 // $hide_from_docs
202199 // This flag is used by secret discovery service(SDS).
203200 // If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount
@@ -221,7 +218,71 @@ message MeshConfig {
221218 string trust_domain = 26 ;
222219
223220 // $hide_from_docs
224- // Next available field number: 32
221+ // The default value for the ServiceEntry.export_to field and services
222+ // imported through container registry integrations, e.g. this applies to
223+ // Kubernetes Service resources. The value is a list of namespace names and
224+ // reserved namespace aliases. The allowed namespace aliases are:
225+ //
226+ // * - All Namespaces
227+ // . - Current Namespace
228+ // ~ - No Namespace
229+ //
230+ // If not set the system will use "*" as the default value which implies that
231+ // services are exported to all namespaces.
232+ //
233+ // 'All namespaces' is a reasonable default for implementations that don't
234+ // need to restrict access or visibility of services across namespace
235+ // boundaries. If that requirement is present it is generally good practice to
236+ // make the default 'Current namespace' so that services are only visible
237+ // within their own namespaces by default. Operators can then expand the
238+ // visibility of services to other namespaces as needed. Use of 'No Namespace'
239+ // is expected to be rare but can have utility for deployments where
240+ // dependency management needs to be precise even within the scope of a single
241+ // namespace.
242+ //
243+ // For further discussion see the reference documentation for ServiceEntry,
244+ // Sidecar, and Gateway.
245+ repeated string default_service_export_to = 31 ;
246+
247+ // $hide_from_docs
248+ // The default value for the VirtualService.export_to field. Has the same
249+ // syntax as 'default_service_export_to'.
250+ //
251+ // If not set the system will use "*" as the default value which implies that
252+ // virtual services are exported to all namespaces
253+ repeated string default_virtual_service_export_to = 32 ;
254+
255+ // $hide_from_docs
256+ // The default value for the DestinationRule.export_to field. Has the same
257+ // syntax as 'default_service_export_to'.
258+ //
259+ // If not set the system will use "*" as the default value which implies that
260+ // destination rules are exported to all namespaces
261+ repeated string default_destination_rule_export_to = 33 ;
262+
263+ // $hide_from_docs
264+ // The namespace to treat as the administrative root namespace for
265+ // istio configuration. When processing a leaf namespace Istio will search for
266+ // declarations in that namespace first and if none are found it will
267+ // search in the root namespace. Any matching declaration found in the root
268+ // namespace is processed as if it were declared in the leaf namespace.
269+ //
270+ // The precise semantics of this processing are documented on each resource
271+ // type.
272+ //
273+ // There is no default value for this flag in 1.1 but in later releases it
274+ // is expected to default to a new namespace, "istio-config", which is
275+ // maintained separately from the "istio-system" namespace where an instance
276+ // of the control plane runtime is deployed. This separates the concerns of
277+ // configuring the control-plane runtime from configuration of the mesh.
278+ string root_namespace = 34 ;
279+
280+ // Locality based load balancing distribution or failover settings.
281+ LocalityLoadBalancerSetting locality_lb_setting = 35 ;
282+
283+
284+ // $hide_from_docs
285+ // Next available field number: 36
225286}
226287
227288// ConfigSource describes information about a configuration store inside a
@@ -240,60 +301,88 @@ message ConfigSource {
240301}
241302
242303
243- // The following example sets up locality weight for mesh wide service
244- // Assume a service resides in "region1/zone1/*" and "region1/zone2/*",
245- // and originating clusters also reside in "region1/zone1/*" and "region1/zone2/*".
246- // This example specifies when clusters from "region1/zone1/*" accessing the service, 80% of the traffic
247- // is shipped to "region1/zone1/*" ratings service endpoints, and the rest 20% to "region1/zone2/*".
304+ // Locality-weighted load balancing allows administrators to control the
305+ // distribution of traffic to endpoints based on the localities of where the
306+ // traffic originates and where it will terminate. These localities are
307+ // specified using arbitrary labels that designate a hierarchy of localities in
308+ // {region}/{zone}/{sub-zone} form. For additional detail refer to
309+ // https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight
310+ // The following example shows how to setup locality weights mesh-wide.
311+ //
312+ // Given a mesh with workloads and their service deployed to "us-west/zone1/*"
313+ // and "us-west/zone2/*". This example specifies that when traffic accessing a
314+ // service originates from workloads in "us-west/zone1/*", 80% of the traffic
315+ // will be sent to endpoints in "us-west/zone1/*", i.e the same zone, and the
316+ // remaining 20% will go to endpoints in "us-west/zone2/*". This setup is
317+ // intended to favor routing traffic to endpoints in the same locality.
318+ // A similar setting is specified for traffic originating in "us-west/zone2/*".
248319//
249320// ```yaml
250321// distribute:
251- // - from: region1 /zone1/*
322+ // - from: us-west /zone1/*
252323// to:
253- // "region1 /zone1/*": 80
254- // "region1 /zone2/*": 20
255- // - from: region1 /zone2/*
324+ // "us-west /zone1/*": 80
325+ // "us-west /zone2/*": 20
326+ // - from: us-west /zone2/*
256327// to:
257- // "region1 /zone1/*": 20
258- // "region1 /zone2/*": 80
328+ // "us-west /zone1/*": 20
329+ // "us-west /zone2/*": 80
259330// ```
260331//
261- // The following example sets up locality failover policy for the ratings service
262- // Assume a service resides in "region1" "region2" and "region3",
263- // This example specifies when clusters from "region1/zone1" accessing the service,
264- // if endpoints in "region1" becomes unhealthy, traffic will begin to trickle to "region2".
332+ // If the goal of the operator is not to distribute load across zones and
333+ // regions but rather to restrict the regionality of failover to meet other
334+ // operational requirements an operator can set a 'failover' policy instead of
335+ // a 'distribute' policy.
336+ //
337+ // The following example sets up a locality failover policy for regions.
338+ // Assume a service resides in zones within us-east, us-west & eu-west
339+ // this example specifies that when endpoints within us-east become unhealthy
340+ // traffic should failover to endpoints in any zone or sub-zone within eu-west
341+ // and similarly us-west should failover to us-east.
265342//
266343// ```yaml
267344// failover:
268- // - from: region1
269- // to: region2
345+ // - from: us-east
346+ // to: eu-west
347+ // - from: us-west
348+ // to: us-east
270349// ```
271350// Locality load balancing settings.
272351message LocalityLoadBalancerSetting {
273- // Originating -> upstream cluster locality weight set, support wildcard matching '*'
274- // '*' matches all localities
275- // 'region1/*' matches all zones in region1
352+ // Describes how traffic originating in the 'from' zone or sub-zone is
353+ // distributed over a set of 'to' zones. Syntax for specifying a zone is
354+ // {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
355+ // segment of the specification. Examples:
356+ // * - matches all localities
357+ // us-west/* - all zones and sub-zones within the us-west region
358+ // us-west/zone-1/* - all sub-zones within us-west/zone-1
276359 message Distribute {
277360 // Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
278361 string from = 1 ;
279362
280- // Upstream locality to loadbalancing weight map . The sum of all weights should be == 100.
281- // Should assign load balancing weight for all localities, otherwise the traffic are not routed
282- // following the percentage of weight .
363+ // Map of upstream localities to traffic distribution weights . The sum of
364+ // all weights should be == 100. Any locality not assigned a weight will
365+ // receive no traffic .
283366 map <string , uint32 > to = 2 ;
284367 };
285368
286- // Specify the traffic failover policy.
287- // As zone and sub_zone failover is supported by default, only region can be specified here.
369+ // Specify the traffic failover policy across regions. Since zone and sub-zone
370+ // failover is supported by default this only needs to be specified for
371+ // regions when the operator needs to constrain traffic failover so that
372+ // the default behavior of failing over to any endpoint globally does not
373+ // apply. This is useful when failing over traffic across regions would not
374+ // improve service health or may need to be restricted for other reasons
375+ // like regulatory controls.
288376 message Failover {
289377 // Originating region.
290378 string from = 1 ;
291379
292- // Destination region the traffic will fail over to when endpoints in local region becomes unhealthy.
380+ // Destination region the traffic will fail over to when endpoints in
381+ // the 'from' region becomes unhealthy.
293382 string to = 2 ;
294383 };
295384
296- // Optional: only distribute or failover can be set.
385+ // Optional: only one of distribute or failover can be set.
297386 // Explicitly specify loadbalancing weight across different zones and geographical locations.
298387 // Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing.html?highlight=load_balancing_weight#locality-weighted-load-balancing)
299388 // If empty, the locality weight is set according to the endpoints number within it.
0 commit comments