New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for VirtualService delegate #1209
Conversation
d8509db
to
ff1a006
Compare
// metadata: | ||
// name: productpage | ||
// namespace: nsA | ||
// spec: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems strange that the delegate VirtualService has no hosts. I would have expected:
hosts:
- productpage.nsA.svc.cluster.local
Otherwise, where are the rules for routing internal requests to the reviews service? Won't I need to create another VS with exactly the same contents (+ the hosts field) to define the rules for internal calls from inside the mesh to the productpage service?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, why I note this is that:
Here we need to distinguish if this is a delegate or root VS, we don't want the delegate rule function alone. Because in addition to the matching rules, there are some fields like headers, if the delegate function alone, the result may be not intended.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, I would say the same behavior would be expected for a delegate or standalone VS for the same target. Can you give me a specific example of where they need to be different?
I also think that if there really is a difference between a delegate and a standalone VS, you should either use a different structure for delegates (e.g., kind: VirtualServiceDelegate), or at least have some clear way to mark it as a delegate (e.g., maybe a special reserved host value). Using a VS with no hosts to represent a delegate seems a little like a hack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree it is a littler hack, but that's consistent with k8s proposal https://docs.google.com/document/d/1BxYbDovMwnEqe8lj8JwHo8YxHAt3oC7ezhlFsG_tyag/edit#heading=h.czggbhygorv and also coutour IngressRoute https://github.com/projectcontour/contour/blob/master/design/ingressroute-design.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also think that if there really is a difference between a delegate and a standalone VS, you should either use a different structure for delegates (e.g., kind: VirtualServiceDelegate), or at least have some clear way to mark it as a delegate (e.g., maybe a special reserved host value).
Indeed it has a difference, say multi delegates should work as referred orders, but if we donot know whether they are delegates, the routing rule will be applied un ordered.
So, in order to remove the hack way, a field indicates it is a delegate sounds good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll repeat what I'll say over and over again: we should do what HTTPRoute does
Here is one thought. Virtual service can have a separate include section that specifies names of other virtual services and conditions under which these virtual services should be included. Eg
This will cause pilot to only include the http rules that have /barbar as a prefix or exact match in the vs1 virtual service in the ns1 namespace. Now that said, @louiscryan & @frankbu the problem with delegation now is how to deal with the imports at gateway. Gateway hosts can specify something like ns1/*.bar.com - wherein the semantics is that only virtual services matching *.bar.com from ns1 namespace will be included by the gateway. If such a virtual service in ns1 namespace then delegates to ns2 namespace, do we import even though the gateway didn’t say so ? If we do, the semantics will be confusing. If we don’t and force people to put all the delegated vs in the ns1 namespace only, then the effectiveness of delegation is less as the motivation for delegation is that the gateway admin in say istio-system can define the top level virtual service alone while delegating the specific virtual services to the namespaces that own the destination hosts of the virtual services. |
This is what k8s community proposed, cross namespace reference in istio also exists from the beginning, like DestinationRule, gateway and virtualservice, etc. |
By this we can introduce a new struct with simplified matching conditions(maybe just has uri, headers and query params), which can simplify the merging semantics in the original proposal. |
I think we should stick to what the have in the k8s API so we can converge. Adding different behavior just makes users confused |
also we should probably be designing this in the design doc not a pr |
Lets first do what makes sense in our api as users today will be confused if this is incongruent with what we have. K8s api has to evolve. We dont want to restrict delegation to just http. Delegation is possible with sni routing and tcp routing as well. A top level include with match conditions will allow us to delegate for all scenarios in Istio |
For what its worth, the k8s apis also support tls/tcp delegation. We don't need to completely restrict ourselves to their API but I do think its valuable to draw inspiration from it, and when we do drift from it make sure we are actually getting value from it |
I have already supplemented tcp/tls delegate days ago, please have a look if you have a chance. |
FYI, basically it aligns with istio in high level.
HTTPRoute
|
ff1a006
to
4211ddf
Compare
51a0bef
to
86eb53c
Compare
/test gencheck_api |
86eb53c
to
480f279
Compare
480f279
to
7873c8e
Compare
7873c8e
to
6af21ea
Compare
// 1. Only one tier of delegate can be set. | ||
// 2. The delegate's Match conditions must be a strict subset of the root's, | ||
// otherwise there is a conflict and the TCPRoute will not take effect. | ||
Delegate delegate = 3; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
skip delegate for tcp. We have no way of setting parent match conditions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left couple of couple of minor comments, otherwise LGTM
// It can be set only when `Route` and `Redirect` are empty, and the route rules of the | ||
// delegate VirtualService will be merged with that in the current one. | ||
// **NOTE**: | ||
// 1. Only one tier of delegate is supported. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: /s/"Only one tier of delegate is supported"/"Only one level delegation is supported"
// 1. Only one tier of delegate is supported. | ||
// 2. The delegate's HTTPMatchRequest must be a strict subset of the root's, | ||
// otherwise there is a conflict and the HTTPRoute will not take effect. | ||
Delegate delegate = 20; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we make this oneof (HttpRoute, HttpRedirect, Delegate)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to make this a separate pr.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems possible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. not a problem
Based on this proposal, added http route rules chaining.