@@ -264,12 +264,72 @@ There are three important aspects to the OCG API:
264264The API must also solve all four of the problems listed above, so we'll start
265265with an overview of the solutions before diving into the API details.
266266
267+ ### The Mesh Resource
268+
269+ Since quite a few things about OCG support require mesh-wide configuration and
270+ status, we will define a new Mesh resource, analogous to the existing Gateway
271+ resource. We will NOT define a MeshClass resource at this point, though we
272+ will not rule it out for future work.
273+
274+ A future GEP will cover the Mesh resource in more detail, but for now the Mesh
275+ resource is fairly straightforward:
276+
277+ ``` yaml
278+ apiVersion : networking.x-k8s.io/v1
279+ kind : Mesh
280+ metadata :
281+ name : one-mesh-to-mesh-them-all
282+ namespace : mesh-namespace
283+ spec :
284+ controllerName : one-mesh.example.com/one-mesh # required, must be domain-prefixed
285+ parametersRef :
286+ # optional ParametersReference
287+ ...
288+ ocg :
289+ # All OCG-related configuration goes here, see below
290+ ...
291+ status :
292+ conditions :
293+ # MUST include Accepted and Ready conditions if the Mesh resource is active.
294+ - type : Accepted # Becomes true when the controller accepts the Mesh resource
295+ status : " True"
296+ reason : MeshAccepted
297+ lastTransitionTime : " 2023-10-01T12:00:00Z"
298+ message : Mesh resource accepted by one-mesh v1.2.3 in namespace one-mesh
299+ - type : Ready # Becomes true when the mesh is actually running
300+ status : " True"
301+ reason : MeshReady
302+ lastTransitionTime : " 2023-10-01T12:00:15Z"
303+ message : one-mesh v1.2.3 is running
304+ ...
305+ supportedFeatures :
306+ # List of SupportedFeature
307+ - name : MeshHTTPRoute
308+ - name : MeshConsumerRoute
309+ - name : OffClusterGateway
310+ ...
311+ ```
312+
313+ Note that the ` spec.controllerName ` field is required, and must be a
314+ domain-prefixed name that identifies the mesh implementation. If a MeshClass
315+ resource is later defined, the intention is that the Mesh resource will gain a
316+ ` meshClassName ` field, the ` controllerName ` field will be deprecated, and a
317+ Mesh resource that includes both ` controllerName ` and ` meshClassName ` will be
318+ invalid.
319+
320+ Although it is explicitly not a goal of this GEP to support multiple meshes
321+ running in the same cluster at the same time, meshes still MUST provide
322+ human-readable information in the ` Accepted ` condition about which mesh
323+ instance has claimed a given Mesh resource, and SHOULD provide human-readable
324+ information in the ` Ready ` condition, in support of future expansion work.
325+ This information is meant to be used by [ Chihiro] and [ Ian] as confirmation
326+ that the mesh instance is doing what they expect it to do.
327+
267328### Solving the Trust Problem
268329
269330The trust problem is that the OCG and the mesh need to be able to trust each
270- other. The simplest solution to this problem is to add a _ trust bundle_ to the
271- Gateway resource, and to create a Mesh resource which will also have a trust
272- bundle:
331+ other. The simplest solution to this problem is to include a _ trust bundle_ in
332+ both the Gateway resource and the Mesh resource:
273333
274334- The trust bundle in the Gateway resource will define the CA certificate(s)
275335 that the OCG should trust when communicating with meshed workloads in the
@@ -308,6 +368,15 @@ workloads, and that the identities of both peers MUST be verified:
308368- The mesh MUST verify the OCG's certificate against the trust bundle
309369 provided to the mesh.
310370
371+ Beyond that, the OCG needs a way to indicate to the mesh that it intends to
372+ participate in the mesh. Since multiple meshes may have fundamentally
373+ different approaches, we will add a ` protocol ` field to the Gateway's mesh
374+ configuration and to the Mesh's OCG configuration, to allow configuring the
375+ OCG and the mesh with a common mechanism.
376+
377+ The only defined value for this field is currently ` ocg-basic-alpn/v1 ` . When
378+ using this protocol:
379+
311380- The OCG MUST send the ` ocg.gateway.networking.k8s.io/v1 ` ALPN protocol
312381 during mTLS negotiation. The mesh MUST interpret this ALPN selection as a
313382 signal that the OCG intends to participate in the mesh.
0 commit comments