Cloud Run API reference
This page provides a reference for the APIs that are used to configure Service Mesh for Cloud Run workloads.
Cloud Run V1 API (google.cloud.run.v1)
Service mesh is enabled using a Revision level system annotation. The value of this annotation is the backing mesh name of the Cloud Service Mesh Istio cluster.
| Annotation | Value |
|---|---|
| run.googleapis.com/mesh | projects/PROJECT>/locations/global/meshes/MESH> |
Cloud Service Mesh Istio API
VirtualService API
| Field Name | Type | Field Description |
|---|---|---|
| gateways | String [] | If the gateways include an "external-mesh" then the virtual service applies to only non-GKE workloads. If "mesh" is specified along with "external-mesh", the virtual service will apply to both non-GKE and GKE workloads. |
| exportTo | string | Considering that non-GKE workloads have no concept of a namespace, "external-mesh" virtual services will ignore the exportTo field. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| httpRoute.HTTPMatchRequest.SourceLabels | map |
Will be ignored for "external-mesh" virtual services. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| httpRoute.HTTPMatchRequest.SourceNamespace | string | Will be ignored for "external-mesh" virtual services. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| httpRoute.HTTPMatchRequest.Gateways | string[] | Will be ignored for "external-mesh" virtual services. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| tls | tlsRoute[] | Will be ignored for "external-mesh" virtual services. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
| tcp | tcpRoute[] | Will be ignored for external-mesh virtual service. However, they will continue to work for virtual services that have "mesh" or gateways will continue to work as expected for GKE workloads. |
Istio Auto MTLS and Secure Naming
Currently, Cloud Service Mesh supports Automatic Istio MutualTLS and Secure Naming for requests between GKE Services.
For Preview, non-GKE workloads communicating with GKE workloads/services will not use Istio Auto MTLS nor Secure Naming. The traffic will be in plain text. Make sure that GKE Services have a permissive MTLS policy (which is the Istio API default) which accepts MTLS traffic from GKE workloads and plain text from non-GKE workloads.
Use the following command to check if PeerAuthentication is in permissive mode:
# list PeerAuthentication resources in a namespace
# If no PeerAuthentication resource exists in the namespace,
# then it's PERMISSIVE mode (Istio API default)
kubectl get PeerAuthentication -n $NAMESPACE
# for each of the above run the following command
kubectl get PeerAuthentication $PEER-AUTHN -n $NAMESPACE
# Expected Output is as follows:
# MTLS Mode must be PERMISSIVE.
# If the output says STRICT, then please update the policy to PERMISSIVE.
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: $PEER-AUTHN
namespace: $NAMESPACE
spec:
mtls:
mode: PERMISSIVE
MeshConfig Telemetry
Cloud Service Mesh supports MeshConfig telemetry API to enable and disable Cloud Logging and Cloud Monitoring for GKE workloads. This will work similarly for non-GKE workloads as well.
Destination Rule
For Preview, DestinationRule targeting the "external-mesh" virtual services
will be supported except following fields: trafficPolicy.tls
Sidecar API
Sidecar API will not be applicable to non-GKE workloads. Non-GKE workloads will be able to see all the virtual services scoped to "external-mesh" without being filtered by any Sidecar visibility rules.
Security API - Authorization Policy, Request Authentication Policy
These will not apply to non-GKE workloads which act as Clients sending outbound traffic. They will continue to apply GKE workloads that receive inbound traffic.
GCPBackend API
| Field Name | Type | Field Description |
|---|---|---|
| GCPBackend | struct | Schema for the GCPBackend resource. |
| TypeMeta | metav1.TypeMeta | Embedded struct for storing metadata information like kind and API version. |
| ObjectMeta | metav1.ObjectMeta | Embedded struct for storing metadata information like name, namespace, labels, annotations, etc. |
| Spec | GCPBackendSpec | Specification for the GCPBackend resource, defining its desired state. |
| GCPBackendSpec | struct | Defines the desired state of the GRPCRoute. |
| CloudRun | *CloudRunBackend | Defines a backend running in CloudRun (optional). |
| CloudRunBackend | struct | Identifies a service running on Cloud Run. |
| Service | string | CloudRun service name. Must be between 1 and 49 characters, follow a specific pattern, and consist only of lowercase letters, hyphens, and numbers. |
| Regions | []Region | Regions of the CloudRun service. Exactly one region must be provided. |
| Project | string | Project ID of the CloudRun service. Defaults to the same project as the GKE cluster. Must be between 6 and 30 characters and follow a specific pattern. Currently, Cloud Run Service and the GKE Cluster must be in the same project. |
| GCPBackendList | struct | Contains a list of GCPBackends. |
| Items | []*GCPBackend | Array of GCPBackend pointers representing the list of GCPBackend resources. |
| ListMeta | metav1.ListMeta | Embedded struct for storing list metadata information like resource version and continue token for pagination. |