When you deploy your workloads on Kubernetes (and provide the correct parameters), the following happens transparently:
- An Istio sidecar is deployed next to your workload.
- The sidecar is configured with the location and other required metadata.
However, when you deploy your workloads outside of Kubernetes onto a standalone VM, you will have to take care of them by yourself.
The Workload Onboarding feature has been designed to solve this problem for you out-of-the-box. Using this feature, all you need to do to onboard a workload deployed on a VM into the mesh is:
- Install Istio sidecar on the target VM (via DEB/RPM).
- Install Workload Onboarding Agent on target VM (via DEB/RPM).
- Provide a minimal declarative configuration describing where to onboard the workload to, e.g.
onboardingEndpoint: # connect to
workloadGroup: # join to
Components and Workflow
The Workload Onboarding consists of the following components:
|Workload Onboarding Operator||component that is installed into your Kubernetes cluster as part of the TSB Control Plane|
|Workload Onboarding Agent||component you need to install next to your VM workload|
|Workload Onboarding Endpoint||component that Workload Onboarding Agent will connect to in order to register the workload in the mesh and obtain boot configuration for the Istio sidecar|
Workload Onboarding Agent executes onboarding flow according to the declarative
configuration provided by the user.
onboardingEndpoint: # (1)
workloadGroup: # (2)
Given the above configuration, the following takes place:
- Workload Onboarding Agent will connect to the Workload Onboarding Endpoint
- Workload Onboarding Endpoint will authenticate the connecting Agent from the cloud-specific credentials of the VM
- Workload Onboarding Endpoint will make the decision whether a workload with
such an identity, i.e. identity of the VM, is authorized to join the mesh and
WorkloadGroup(2) in particular
- Workload Onboarding Endpoint will register a new WorkloadEntry at the Istio Control Plane to represent that workload
- Workload Onboarding Endpoint will generate boot configuration required to start
Istio Proxy according to the respective
- Workload Onboarding Agent will save the returned boot configuration to disk and start the Istio sidecar
- Istio sidecar will connect to the Istio Control Plane and receive its runtime configuration