Skip to main content
Version: 1.4.x

Overview

When you deploy your workloads on Kubernetes (and provide the correct parameters), the following happens transparently:

  1. An Istio sidecar is deployed next to your workload.
  2. The sidecar is configured with the location and other required metadata.

However, when you deploy your workloads outside of Kubernetes onto a standalone VM, you will have to take care of them by yourself.

The Workload Onboarding feature has been designed to solve this problem for you out-of-the-box. Using this feature, all you need to do to onboard a workload deployed on a VM into the mesh is:

  1. Install Istio sidecar on the target VM (via DEB/RPM).
  2. Install Workload Onboarding Agent on target VM (via DEB/RPM).
  3. Provide a minimal declarative configuration describing where to onboard the workload to, e.g.
apiVersion: config.agent.onboarding.tetrate.io/v1alpha1
kind: OnboardingConfiguration
onboardingEndpoint:                            # connect to
  host: onboarding-endpoint.your-company.corp
workloadGroup:                                 # join to
  namespace: bookinfo
  name: ratings

Components and Workflow

The Workload Onboarding consists of the following components:

ComponentDescription
Workload Onboarding Operatorcomponent that is installed into your Kubernetes cluster as part of the TSB Control Plane
Workload Onboarding Agentcomponent you need to install next to your VM workload
Workload Onboarding Endpointcomponent that Workload Onboarding Agent will connect to in order to register the workload in the mesh and obtain boot configuration for the Istio sidecar

Workload Onboarding Agent executes onboarding flow according to the declarative configuration provided by the user.

apiVersion: config.agent.onboarding.tetrate.io/v1alpha1
kind: OnboardingConfiguration
onboardingEndpoint:                           # (1)
  host: onboarding-endpoint.your-company.corp
workloadGroup:                                # (2)
  namespace: bookinfo
  name: ratings

Given the above configuration, the following takes place:

  1. Workload Onboarding Agent will connect to the Workload Onboarding Endpoint at https://onboarding-endpoint.your-company.corp:15443 (1)
  2. Workload Onboarding Endpoint will authenticate the connecting Agent from the cloud-specific credentials of the VM
  3. Workload Onboarding Endpoint will make the decision whether a workload with such an identity, i.e. identity of the VM, is authorized to join the mesh and given WorkloadGroup (2) in particular
  4. Workload Onboarding Endpoint will register a new WorkloadEntry at the Istio Control Plane to represent that workload
  5. Workload Onboarding Endpoint will generate boot configuration required to start Istio Proxy according to the respective WorkloadGroup resource (2)
  6. Workload Onboarding Agent will save the returned boot configuration to disk and start the Istio sidecar
  7. Istio sidecar will connect to the Istio Control Plane and receive its runtime configuration