I propose that we add a Mesh UID to Istio. We need this to support the use case of aggregating telemetry from multiple Istio meshes in one place, and then being able to query it, distinguishing which mesh particular entries came from.
I know that other approaches to mesh identification have been discussed that are more complex to cover use cases related to identity or admission to multicluster meshes. This proposal is intentionally very simple, hopefully avoids any controversial design choices, and gets the correct plumbing in place even if someone wants to use a specific different mesh UID value in the future.
https://tinyurl.com/y45s5x2d
Update: discussed with Config and Security, and decided it should go in MeshConfig for now.
(We’d likely eventually move this to be a CRD in the context of a TBD larger plan to secure Mesh UID and use it as part of identity.)
Update: discussed with Environments, and made some changes, which are now reflected in the linked design doc.
Key Changes:
- Call this “Mesh ID” (not “Mesh UID”)
- Admin can specify this in values.yaml; the value is eventually exposed in the istio-sidecar-injector ConfigMap (not in MeshConfig)
- Default value when not specified by the admin will be the mesh’s Trust Domain. (Do not autogenerate a UUID.)