Fixes istio/istio#12873. Add field Sidecar.OutboundTrafficPolicy to o…

[robertpanzer]

…verride outbound traffic policy per sidecar

This PR tries to solve https://github.com/istio/istio/12873.
For that it adds a field Sidecar.OutboundTrafficPolicy that is currently a copy of the same field in the Mesh configuration.

I actually wanted to reuse that type and move it to network/v1alpha3, but the build has another opinion on this and fails.
Would it work to move the type mesh/v1alpha1.MeshConfig_OutboundTrafficPolicy to network/v1alpha3/OutboundTrafficPolicy?
In my understanding this should result in the same Wire format, so that it should still work to run a newer Galley with an older Pilot or vice versa.
Are there any opinions on this?
And if it would be ok to move this, how can I do it? Currently make fails when moving this type.

[googlebot]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[istio-testing]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: robertpanzer
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: kyessenov

If they are not already assigned, you can assign the PR to them by writing /assign @kyessenov in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[istio-testing]

Hi @robertpanzer. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[googlebot]

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

[mandarjog]

/ok-to-test

[rshriram]

you dont need these two here.. since you are copying the struct

[robertpanzer]

Awesome, thank you!

So you mean I can remove the struct from v1alpha1?
Or do you mean I can remove the reserved 2; and the following line?

[rshriram]

I dont think you can remove the struct from the mesh/v1alpha1 without causing some form of circular dependency thing IIRC.. though @ozevren would have to attest to that. For the purpose of this PR though, I would suggest that you remove the reserved 2 and the reserved VIRTUAL.. line as this is an entirely new message introduced in this file..

[robertpanzer]

Ok, I'll do that. Thanks for the clarification.

My original intent was to have this struct only in networking.v1alpha3 and remove the one in mesh.v1alpha1.
There is already one dependency in that direction; adding a reference to mesh.v1alpha1.OutboundTrafficPolicy from networking.v1alpha3 would create a cyclic dependency.

[robertpanzer]

@rshriram I removed the reserved field and updated the PR by amending the commit (To avoid the breaking change in proto.lock in the commit history).

[rshriram]

cc @louiscryan thoughts?

[costinm]

Please revert and move to master - AFAIK we are not supposed to make API changes in 1.1 ( or it needs to go trough release manager, review, etc )

release-1.1 branch is released every week - so the TOC review can be too late.

[costinm]

@duderino

[costinm]

On the content of the API change: I don't think this is the best way, it has multiple problems:

• like public/private, it is too narrow
• not aligned with 'egress' and 'exportTo' - where for internal traffic we provide a list
• not aligned with ServiceEntry - which is normally used to control egress, and has different syntax

It is also quite confusing - what is 'outbound traffic' ?

• Egress is used in most places in the docs. What is different between egress and outbound traffic and why a new term used here ?
• traffic to other Istio services is also outbond traffic. Is it affected ? Why ? Why not ?
• what happens when we want to allow specific ports, or http hosts ?

[robertpanzer]

Sorry for creating this.
OutboundTrafficPolicy is already part of Istio's Mesh configuration and I agree that it is confusing.
But all that configuration does is to allow application owners to refine this configuration for their workloads.

I think though that the term "external" refers to MESH_EXTERNAL.