admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update dependencies

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-12-22 16:48:26 +08:00
parent 4a11a50544
commit fe6c5de00f
2857 changed files with 252134 additions and 115656 deletions
Download Patch File Download Diff File Expand all files Collapse all files

569
vendor/istio.io/api/networking/v1alpha3/service_entry.proto generated vendored
View File

@@ -16,24 +16,37 @@ syntax = "proto3";
import "google/api/field_behavior.proto";
import "networking/v1alpha3/gateway.proto";
import "networking/v1alpha3/sidecar.proto";
import "networking/v1alpha3/workload_entry.proto";
// $schema: istio.networking.v1alpha3.ServiceEntry
// $title: Service Entry
// $description: Configuration affecting service registry.
// $location: https://istio.io/docs/reference/config/networking/service-entry.html
// $aliases: [/docs/reference/config/networking/v1alpha3/service-entry.html]
// $aliases: [/docs/reference/config/networking/v1alpha3/service-entry]
// `ServiceEntry` enables adding additional entries into Istio's internal
// service registry, so that auto-discovered services in the mesh can
// access/route to these manually specified services. A service entry
// describes the properties of a service (DNS name, VIPs, ports, protocols,
// endpoints). These services could be external to the mesh (e.g., web
// APIs) or mesh-internal services that are not part of the platform's
// service registry (e.g., a set of VMs talking to services in Kubernetes).
// `ServiceEntry` enables adding additional entries into Istio's
// internal service registry, so that auto-discovered services in the
// mesh can access/route to these manually specified services. A
// service entry describes the properties of a service (DNS name,
// VIPs, ports, protocols, endpoints). These services could be
// external to the mesh (e.g., web APIs) or mesh-internal services
// that are not part of the platform's service registry (e.g., a set
// of VMs talking to services in Kubernetes). In addition, the
// endpoints of a service entry can also be dynamically selected by
// using the `workloadSelector` field. These endpoints can be VM
// workloads declared using the `WorkloadEntry` object or Kubernetes
// pods. The ability to select both pods and VMs under a single
// service allows for migration of services from VMs to Kubernetes
// without having to change the existing DNS names associated with the
// services.
//
// The following example declares a few external APIs accessed by internal
// applications over HTTPS. The sidecar inspects the SNI value in the
// ClientHello message to route to the appropriate external service.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
@@ -51,12 +64,36 @@ import "networking/v1alpha3/gateway.proto";
// protocol: TLS
// resolution: DNS
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: external-svc-https
// spec:
// hosts:
// - api.dropboxapi.com
// - www.googleapis.com
// - api.facebook.com
// location: MESH_EXTERNAL
// ports:
// - number: 443
// name: https
// protocol: TLS
// resolution: DNS
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The following configuration adds a set of MongoDB instances running on
// unmanaged VMs to Istio's registry, so that these services can be treated
// as any other service in the mesh. The associated DestinationRule is used
// to initiate mTLS connections to the database instances.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
@@ -77,9 +114,36 @@ import "networking/v1alpha3/gateway.proto";
// - address: 2.2.2.2
// - address: 3.3.3.3
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: external-svc-mongocluster
// spec:
// hosts:
// - mymongodb.somedomain # not used
// addresses:
// - 192.192.192.192/24 # VIPs
// ports:
// - number: 27018
// name: mongodb
// protocol: MONGO
// location: MESH_INTERNAL
// resolution: STATIC
// endpoints:
// - address: 2.2.2.2
// - address: 3.3.3.3
// ```
// {{</tab>}}
// {{</tabset>}}
//
// and the associated DestinationRule
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
@@ -94,11 +158,32 @@ import "networking/v1alpha3/gateway.proto";
// privateKey: /etc/certs/client_private_key.pem
// caCertificates: /etc/certs/rootcacerts.pem
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: DestinationRule
// metadata:
// name: mtls-mongocluster
// spec:
// host: mymongodb.somedomain
// trafficPolicy:
// tls:
// mode: MUTUAL
// clientCertificate: /etc/certs/myclientcert.pem
// privateKey: /etc/certs/client_private_key.pem
// caCertificates: /etc/certs/rootcacerts.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The following example uses a combination of service entry and TLS
// routing in a virtual service to steer traffic based on the SNI value to
// an internal egress firewall.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
@@ -115,9 +200,32 @@ import "networking/v1alpha3/gateway.proto";
// protocol: TLS
// resolution: NONE
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: external-svc-redirect
// spec:
// hosts:
// - wikipedia.org
// - "*.wikipedia.org"
// location: MESH_EXTERNAL
// ports:
// - number: 443
// name: https
// protocol: TLS
// resolution: NONE
// ```
// {{</tab>}}
// {{</tabset>}}
//
// And the associated VirtualService to route based on the SNI value.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: VirtualService
@@ -136,6 +244,29 @@ import "networking/v1alpha3/gateway.proto";
// - destination:
// host: internal-egress-firewall.ns1.svc.cluster.local
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: VirtualService
// metadata:
// name: tls-routing
// spec:
// hosts:
// - wikipedia.org
// - "*.wikipedia.org"
// tls:
// - match:
// - sniHosts:
// - wikipedia.org
// - "*.wikipedia.org"
// route:
// - destination:
// host: internal-egress-firewall.ns1.svc.cluster.local
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The virtual service with TLS match serves to override the default SNI
// match. In the absence of a virtual service, traffic will be forwarded to
@@ -149,6 +280,8 @@ import "networking/v1alpha3/gateway.proto";
// current namespace, represented by ".", so that it cannot be used by other
// namespaces.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
@@ -167,9 +300,34 @@ import "networking/v1alpha3/gateway.proto";
// protocol: HTTP
// resolution: DNS
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: external-svc-httpbin
// namespace : egress
// spec:
// hosts:
// - httpbin.com
// exportTo:
// - "."
// location: MESH_EXTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// resolution: DNS
// ```
// {{</tab>}}
// {{</tabset>}}
//
// Define a gateway to handle all egress traffic.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Gateway
@@ -187,6 +345,28 @@ import "networking/v1alpha3/gateway.proto";
// hosts:
// - "*"
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Gateway
// metadata:
// name: istio-egressgateway
// namespace: istio-system
// spec:
// selector:
// istio: egressgateway
// servers:
// - port:
// number: 80
// name: http
// protocol: HTTP
// hosts:
// - "*"
// ```
// {{</tab>}}
// {{</tabset>}}
//
// And the associated `VirtualService` to route from the sidecar to the
// gateway service (`istio-egressgateway.istio-system.svc.cluster.local`), as
@@ -195,6 +375,8 @@ import "networking/v1alpha3/gateway.proto";
// through the gateway to the external service. Forcing traffic to go through
// a managed middle proxy like this is a common practice.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: VirtualService
@@ -225,12 +407,49 @@ import "networking/v1alpha3/gateway.proto";
// - destination:
// host: httpbin.com
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: VirtualService
// metadata:
// name: gateway-routing
// namespace: egress
// spec:
// hosts:
// - httpbin.com
// exportTo:
// - "*"
// gateways:
// - mesh
// - istio-egressgateway
// http:
// - match:
// - port: 80
// gateways:
// - mesh
// route:
// - destination:
// host: istio-egressgateway.istio-system.svc.cluster.local
// - match:
// - port: 80
// gateways:
// - istio-egressgateway
// route:
// - destination:
// host: httpbin.com
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The following example demonstrates the use of wildcards in the hosts for
// external services. If the connection has to be routed to the IP address
// requested by the application (i.e. application resolves DNS and attempts
// to connect to a specific IP), the discovery mode must be set to `NONE`.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
@@ -246,11 +465,33 @@ import "networking/v1alpha3/gateway.proto";
// protocol: HTTP
// resolution: NONE
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: external-svc-wildcard-example
// spec:
// hosts:
// - "*.bar.com"
// location: MESH_EXTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// resolution: NONE
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The following example demonstrates a service that is available via a
// Unix Domain Socket on the host of the client. The resolution must be
// set to STATIC to use Unix address endpoints.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
@@ -268,6 +509,28 @@ import "networking/v1alpha3/gateway.proto";
// endpoints:
// - address: unix:///var/run/example/socket
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: unix-domain-socket-example
// spec:
// hosts:
// - "example.unix.local"
// location: MESH_EXTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// resolution: STATIC
// endpoints:
// - address: unix:///var/run/example/socket
// ```
// {{</tab>}}
// {{</tabset>}}
//
// For HTTP-based services, it is possible to create a `VirtualService`
// backed by multiple DNS addressable endpoints. In such a scenario, the
@@ -277,6 +540,8 @@ import "networking/v1alpha3/gateway.proto";
// service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
// uk.foo.bar.com:9080, and in.foo.bar.com:7080
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
@@ -294,6 +559,34 @@ import "networking/v1alpha3/gateway.proto";
// endpoints:
// - address: us.foo.bar.com
// ports:
// http: 8080
// - address: uk.foo.bar.com
// ports:
// http: 9080
// - address: in.foo.bar.com
// ports:
// http: 7080
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: external-svc-dns
// spec:
// hosts:
// - foo.bar.com
// location: MESH_EXTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// resolution: DNS
// endpoints:
// - address: us.foo.bar.com
// ports:
// https: 8080
// - address: uk.foo.bar.com
// ports:
@@ -302,6 +595,8 @@ import "networking/v1alpha3/gateway.proto";
// ports:
// https: 7080
// ```
// {{</tab>}}
// {{</tabset>}}
//
// With `HTTP_PROXY=http://localhost/`, calls from the application to
// `http://foo.bar.com` will be load balanced across the three domains
@@ -312,6 +607,8 @@ import "networking/v1alpha3/gateway.proto";
// containing a subject alternate name
// whose format conforms to the [SPIFFE standard](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md):
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
@@ -333,7 +630,147 @@ import "networking/v1alpha3/gateway.proto";
// subjectAltNames:
// - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: httpbin
// namespace : httpbin-ns
// spec:
// hosts:
// - httpbin.com
// location: MESH_INTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// resolution: STATIC
// endpoints:
// - address: 2.2.2.2
// - address: 3.3.3.3
// subjectAltNames:
// - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The following example demonstrates the use of `ServiceEntry` with a
// `workloadSelector` to handle the migration of a service
// `details.bookinfo.com` from VMs to Kubernetes. The service has two
// VM-based instances with sidecars as well as a set of Kubernetes
// pods managed by a standard deployment object. Consumers of this
// service in the mesh will be automatically load balanced across the
// VMs and Kubernetes. VM for the `details.bookinfo.com`
// service. This VM has sidecar installed and bootstrapped using the
// `details-legacy` service account. The sidecar receives HTTP traffic
// on port 80 (wrapped in istio mutual TLS) and forwards it to the
// application on the localhost on the same port.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: WorkloadEntry
// metadata:
// name: details-vm-1
// spec:
// serviceAccount: details
// address: 2.2.2.2
// labels:
// app: details
// instance-id: vm1
// ---
// apiVersion: networking.istio.io/v1alpha3
// kind: WorkloadEntry
// metadata:
// name: details-vm-2
// spec:
// serviceAccount: details
// address: 3.3.3.3
// labels:
// app: details
// instance-id: vm2
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: WorkloadEntry
// metadata:
// name: details-vm-1
// spec:
// serviceAccount: details
// address: 2.2.2.2
// labels:
// app: details
// instance-id: vm1
// ---
// apiVersion: networking.istio.io/v1beta1
// kind: WorkloadEntry
// metadata:
// name: details-vm-2
// spec:
// serviceAccount: details
// address: 3.3.3.3
// labels:
// app: details
// instance-id: vm2
// ```
// {{</tab>}}
// {{</tabset>}}
//
// Assuming there is also a Kubernetes deployment with pod labels
// `app: details` using the same service account `details`, the
// following service entry declares a service spanning both VMs and
// Kubernetes:
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
// metadata:
// name: details-svc
// spec:
// hosts:
// - details.bookinfo.com
// location: MESH_INTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// resolution: STATIC
// workloadSelector:
// labels:
// app: details
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: details-svc
// spec:
// hosts:
// - details.bookinfo.com
// location: MESH_INTERNAL
// ports:
// - number: 80
// name: http
// protocol: HTTP
// resolution: STATIC
// workloadSelector:
// labels:
// app: details
// ```
// {{</tab>}}
// {{</tabset>}}
package istio.networking.v1alpha3;
option go_package = "istio.io/api/networking/v1alpha3";
@@ -341,6 +778,27 @@ option go_package = "istio.io/api/networking/v1alpha3";
// ServiceEntry enables adding additional entries into Istio's internal
// service registry.
//
// <!-- crd generation tags
// +cue-gen:ServiceEntry:groupName:networking.istio.io
// +cue-gen:ServiceEntry:version:v1alpha3
// +cue-gen:ServiceEntry:storageVersion
// +cue-gen:ServiceEntry:annotations:helm.sh/resource-policy=keep
// +cue-gen:ServiceEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:ServiceEntry:subresource:status
// +cue-gen:ServiceEntry:scope:Namespaced
// +cue-gen:ServiceEntry:resource:categories=istio-io,networking-istio-io,shortNames=se,plural=serviceentries
// +cue-gen:ServiceEntry:printerColumn:name=Hosts,type=string,JSONPath=.spec.hosts,description="The hosts associated with the ServiceEntry"
// +cue-gen:ServiceEntry:printerColumn:name=Location,type=string,JSONPath=.spec.location,description="Whether the service is external to the
// mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL)"
// +cue-gen:ServiceEntry:printerColumn:name=Resolution,type=string,JSONPath=.spec.resolution,description="Service discovery mode for the hosts
// (NONE, STATIC, or DNS)"
// +cue-gen:ServiceEntry:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
// +cue-gen:ServiceEntry:preserveUnknownFields:false
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=networking.istio.io/v1alpha3
@@ -356,9 +814,22 @@ message ServiceEntry {
// 3. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
// will be matched against the hosts field.
//
// Note that when resolution is set to type DNS
// and no endpoints are specified, the host field will be used as the DNS name
// of the endpoint to route traffic to.
// **NOTE 1:** When resolution is set to type DNS and no endpoints
// are specified, the host field will be used as the DNS name of the
// endpoint to route traffic to.
//
// **NOTE 2:** If the hostname matches with the name of a service
// from another service registry such as Kubernetes that also
// supplies its own set of endpoints, the ServiceEntry will be
// treated as a decorator of the existing Kubernetes
// service. Properties in the service entry will be added to the
// Kubernetes service if applicable. Currently, the only the
// following additional properties will be considered by `istiod`:
//
// 1. subjectAltNames: In addition to verifying the SANs of the
// service accounts associated with the pods of the service, the
// SANs specified here will also be verified.
//
repeated string hosts = 1 [(google.api.field_behavior) = REQUIRED];
// The virtual IP addresses associated with the service. Could be CIDR
@@ -439,62 +910,20 @@ message ServiceEntry {
// Service discovery mode for the hosts. Care must be taken
// when setting the resolution mode to NONE for a TCP port without
// accompanying IP addresses. In such cases, traffic to any IP on
// said port will be allowed (i.e. 0.0.0.0:<port>).
// said port will be allowed (i.e. `0.0.0.0:<port>`).
Resolution resolution = 5 [(google.api.field_behavior) = REQUIRED];
// Endpoint defines a network address (IP or hostname) associated with
// the mesh service.
message Endpoint {
// Address associated with the network endpoint without the
// port. Domain names can be used if and only if the resolution is set
// to DNS, and must be fully-qualified without wildcards. Use the form
// unix:///absolute/path/to/socket for Unix domain socket endpoints.
string address = 1 [(google.api.field_behavior) = REQUIRED];
// One or more endpoints associated with the service. Only one of
// `endpoints` or `workloadSelector` can be specified.
repeated WorkloadEntry endpoints = 6;
// Set of ports associated with the endpoint. The ports must be
// associated with a port name that was declared as part of the
// service. Do not use for `unix://` addresses.
map<string, uint32> ports = 2;
// One or more labels associated with the endpoint.
map<string, string> labels = 3;
// Network enables Istio to group endpoints resident in the same L3
// domain/network. All endpoints in the same network are assumed to be
// directly reachable from one another. When endpoints in different
// networks cannot reach each other directly, an Istio Gateway can be
// used to establish connectivity (usually using the
// AUTO_PASSTHROUGH mode in a Gateway Server). This is
// an advanced configuration used typically for spanning an Istio mesh
// over multiple clusters.
string network = 4;
// The locality associated with the endpoint. A locality corresponds
// to a failure domain (e.g., country/region/zone). Arbitrary failure
// domain hierarchies can be represented by separating each
// encapsulating failure domain by /. For example, the locality of an
// an endpoint in US, in US-East-1 region, within availability zone
// az-1, in data center rack r11 can be represented as
// us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
// endpoints within the same locality as the sidecar. If none of the
// endpoints in the locality are available, endpoints parent locality
// (but within the same network ID) will be chosen. For example, if
// there are two endpoints in same network (networkID "n1"), say e1
// with locality us/us-east-1/az-1/r11 and e2 with locality
// us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
// will prefer e1 from the same locality over e2 from a different
// locality. Endpoint e2 could be the IP associated with a gateway
// (that bridges networks n1 and n2), or the IP associated with a
// standard service endpoint.
string locality = 5;
// The load balancing weight associated with the endpoint. Endpoints
// with higher weights will receive proportionally higher traffic.
uint32 weight = 6;
};
// One or more endpoints associated with the service.
repeated Endpoint endpoints = 6;
// Applicable only for MESH_INTERNAL services. Only one of
// `endpoints` or `workloadSelector` can be specified. Selects one
// or more Kubernetes pods or VM workloads (specified using
// `WorkloadEntry`) based on their labels. The `WorkloadEntry` object
// representing the VMs should be defined in the same namespace as
// the ServiceEntry.
WorkloadSelector workload_selector = 9;
// A list of namespaces to which this service is exported. Exporting a service
// allows it to be used by sidecars, gateways and virtual services defined in
@@ -517,10 +946,12 @@ message ServiceEntry {
// "." or "*" (i.e., the current namespace or all namespaces).
repeated string export_to = 7;
// The list of subject alternate names allowed for workload instances that
// implement this service. This information is used to enforce
// [secure-naming](https://istio.io/docs/concepts/security/#secure-naming).
// If specified, the proxy will verify that the server
// certificate's subject alternate name matches one of the specified values.
// If specified, the proxy will verify that the server certificate's
// subject alternate name matches one of the specified values.
//
// NOTE: When using the workloadEntry with workloadSelectors, the
// service account specified in the workloadEntry will also be used
// to derive the additional subject alternate names that should be
// verified.
repeated string subject_alt_names = 8;
}