/
service.go
700 lines (605 loc) · 26.2 KB
/
service.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// This file describes the abstract model of services (and their instances) as
// represented in Istio. This model is independent of the underlying platform
// (Kubernetes, Mesos, etc.). Platform specific adapters found populate the
// model object with various fields, from the metadata found in the platform.
// The platform independent proxy code uses the representation in the model to
// generate the configuration files for the Layer 7 proxy sidecar. The proxy
// code is specific to individual proxy implementations
package model
import (
"fmt"
"strconv"
"strings"
"sync"
"time"
endpoint "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3"
"github.com/mitchellh/copystructure"
"istio.io/api/label"
"istio.io/istio/pilot/pkg/networking"
"istio.io/istio/pilot/pkg/util/sets"
"istio.io/istio/pkg/config/constants"
"istio.io/istio/pkg/config/host"
"istio.io/istio/pkg/config/labels"
"istio.io/istio/pkg/config/protocol"
"istio.io/istio/pkg/config/visibility"
)
// Service describes an Istio service (e.g., catalog.mystore.com:8080)
// Each service has a fully qualified domain name (FQDN) and one or more
// ports where the service is listening for connections. *Optionally*, a
// service can have a single load balancer/virtual IP address associated
// with it, such that the DNS queries for the FQDN resolves to the virtual
// IP address (a load balancer IP).
//
// E.g., in kubernetes, a service foo is associated with
// foo.default.svc.cluster.local hostname, has a virtual IP of 10.0.1.1 and
// listens on ports 80, 8080
type Service struct {
// Attributes contains additional attributes associated with the service
// used mostly by RBAC for policy enforcement purposes.
Attributes ServiceAttributes
// Ports is the set of network ports where the service is listening for
// connections
Ports PortList `json:"ports,omitempty"`
// ServiceAccounts specifies the service accounts that run the service.
ServiceAccounts []string `json:"serviceAccounts,omitempty"`
// CreationTime records the time this service was created, if available.
CreationTime time.Time `json:"creationTime,omitempty"`
// Name of the service, e.g. "catalog.mystore.com"
Hostname host.Name `json:"hostname"`
// Address specifies the service IPv4 address of the load balancer
// Do not access directly. Use GetServiceAddressForProxy
Address string `json:"address,omitempty"`
// AutoAllocatedAddress specifies the automatically allocated
// IPv4 address out of the reserved Class E subnet
// (240.240.0.0/16) for service entries with non-wildcard
// hostnames. The IPs assigned to services are not
// synchronized across istiod replicas as the DNS resolution
// for these service entries happens completely inside a pod
// whose proxy is managed by one istiod. That said, the algorithm
// to allocate IPs is pretty deterministic that at stable state, two
// istiods will allocate the exact same set of IPs for a given set of
// service entries.
AutoAllocatedAddress string `json:"autoAllocatedAddress,omitempty"`
// Protect concurrent ClusterVIPs read/write
Mutex sync.RWMutex
// ClusterVIPs specifies the service address of the load balancer
// in each of the clusters where the service resides
ClusterVIPs map[string]string `json:"cluster-vips,omitempty"`
// Resolution indicates how the service instances need to be resolved before routing
// traffic. Most services in the service registry will use static load balancing wherein
// the proxy will decide the service instance that will receive the traffic. Service entries
// could either use DNS load balancing (i.e. proxy will query DNS server for the IP of the service)
// or use the passthrough model (i.e. proxy will forward the traffic to the network endpoint requested
// by the caller)
Resolution Resolution
// MeshExternal (if true) indicates that the service is external to the mesh.
// These services are defined using Istio's ServiceEntry spec.
MeshExternal bool
}
// Resolution indicates how the service instances need to be resolved before routing
// traffic.
type Resolution int
const (
// ClientSideLB implies that the proxy will decide the endpoint from its local lb pool
ClientSideLB Resolution = iota
// DNSLB implies that the proxy will resolve a DNS address and forward to the resolved address
DNSLB
// Passthrough implies that the proxy should forward traffic to the destination IP requested by the caller
Passthrough
)
// String converts Resolution in to String.
func (resolution Resolution) String() string {
switch resolution {
case ClientSideLB:
return "ClientSide"
case DNSLB:
return "DNS"
case Passthrough:
return "Passthrough"
default:
return fmt.Sprintf("%d", int(resolution))
}
}
const (
// IstioDefaultConfigNamespace constant for default namespace
IstioDefaultConfigNamespace = "default"
// LocalityLabel indicates the region/zone/subzone of an instance. It is used to override the native
// registry's value.
//
// Note: because k8s labels does not support `/`, so we use `.` instead in k8s.
LocalityLabel = "istio-locality"
// k8s istio-locality label separator
k8sSeparator = "."
)
const (
// TLSModeLabelShortname name used for determining endpoint level tls transport socket configuration
TLSModeLabelShortname = "tlsMode"
// DisabledTLSModeLabel implies that this endpoint should receive traffic as is (mostly plaintext)
DisabledTLSModeLabel = "disabled"
// IstioMutualTLSModeLabel implies that the endpoint is ready to receive Istio mTLS connections.
IstioMutualTLSModeLabel = "istio"
// IstioCanonicalServiceLabelName is the name of label for the Istio Canonical Service for a workload instance.
IstioCanonicalServiceLabelName = "service.istio.io/canonical-name"
// IstioCanonicalServiceRevisionLabelName is the name of label for the Istio Canonical Service revision for a workload instance.
IstioCanonicalServiceRevisionLabelName = "service.istio.io/canonical-revision"
)
// Port represents a network port where a service is listening for
// connections. The port should be annotated with the type of protocol
// used by the port.
type Port struct {
// Name ascribes a human readable name for the port object. When a
// service has multiple ports, the name field is mandatory
Name string `json:"name,omitempty"`
// Port number where the service can be reached. Does not necessarily
// map to the corresponding port numbers for the instances behind the
// service.
Port int `json:"port"`
// Protocol to be used for the port.
Protocol protocol.Instance `json:"protocol,omitempty"`
}
// PortList is a set of ports
type PortList []*Port
// TrafficDirection defines whether traffic exists a service instance or enters a service instance
type TrafficDirection string
const (
// TrafficDirectionInbound indicates inbound traffic
TrafficDirectionInbound TrafficDirection = "inbound"
// TrafficDirectionOutbound indicates outbound traffic
TrafficDirectionOutbound TrafficDirection = "outbound"
// trafficDirectionOutboundSrvPrefix the prefix for a DNS SRV type subset key
trafficDirectionOutboundSrvPrefix = string(TrafficDirectionOutbound) + "_"
// trafficDirectionInboundSrvPrefix the prefix for a DNS SRV type subset key
trafficDirectionInboundSrvPrefix = string(TrafficDirectionInbound) + "_"
)
// Probe represents a health probe associated with an instance of service.
type Probe struct {
Port *Port `json:"port,omitempty"`
Path string `json:"path,omitempty"`
}
// ProbeList is a set of probes
type ProbeList []*Probe
// ServiceInstance represents an individual instance of a specific version
// of a service. It binds a network endpoint (ip:port), the service
// description (which is oblivious to various versions) and a set of labels
// that describe the service version associated with this instance.
//
// Since a ServiceInstance has a single IstioEndpoint, which has a single port,
// multiple ServiceInstances are required to represent a workload that listens
// on multiple ports.
//
// The labels associated with a service instance are unique per a network endpoint.
// There is one well defined set of labels for each service instance network endpoint.
//
// For example, the set of service instances associated with catalog.mystore.com
// are modeled like this
// --> IstioEndpoint(172.16.0.1:8888), Service(catalog.myservice.com), Labels(foo=bar)
// --> IstioEndpoint(172.16.0.2:8888), Service(catalog.myservice.com), Labels(foo=bar)
// --> IstioEndpoint(172.16.0.3:8888), Service(catalog.myservice.com), Labels(kitty=cat)
// --> IstioEndpoint(172.16.0.4:8888), Service(catalog.myservice.com), Labels(kitty=cat)
type ServiceInstance struct {
Service *Service `json:"service,omitempty"`
ServicePort *Port `json:"servicePort,omitempty"`
Endpoint *IstioEndpoint `json:"endpoint,omitempty"`
}
// DeepCopy creates a copy of ServiceInstance.
func (instance *ServiceInstance) DeepCopy() *ServiceInstance {
return &ServiceInstance{
Service: instance.Service.DeepCopy(),
Endpoint: instance.Endpoint.DeepCopy(),
ServicePort: &Port{
Name: instance.ServicePort.Name,
Port: instance.ServicePort.Port,
Protocol: instance.ServicePort.Protocol,
},
}
}
type WorkloadInstance struct {
Name string `json:"name,omitempty"`
Namespace string `json:"namespace,omitempty"`
Endpoint *IstioEndpoint `json:"endpoint,omitempty"`
PortMap map[string]uint32 `json:"portMap,omitempty"`
}
// DeepCopy creates a copy of WorkloadInstance.
func (instance *WorkloadInstance) DeepCopy() *WorkloadInstance {
pmap := map[string]uint32{}
for k, v := range instance.PortMap {
pmap[k] = v
}
return &WorkloadInstance{
Name: instance.Name,
Namespace: instance.Namespace,
PortMap: pmap,
Endpoint: instance.Endpoint.DeepCopy(),
}
}
// a custom comparison of workload instances based on the fields that we need
// i.e. excluding the ports. Returns true if equal, false otherwise.
func WorkloadInstancesEqual(first, second *WorkloadInstance) bool {
if first.Endpoint == nil || second.Endpoint == nil {
return first.Endpoint == second.Endpoint
}
if first.Endpoint.Address != second.Endpoint.Address {
return false
}
if first.Endpoint.Network != second.Endpoint.Network {
return false
}
if first.Endpoint.TLSMode != second.Endpoint.TLSMode {
return false
}
if !first.Endpoint.Labels.Equals(second.Endpoint.Labels) {
return false
}
if first.Endpoint.ServiceAccount != second.Endpoint.ServiceAccount {
return false
}
if first.Endpoint.Locality != second.Endpoint.Locality {
return false
}
if first.Endpoint.LbWeight != second.Endpoint.LbWeight {
return false
}
if first.Namespace != second.Namespace {
return false
}
if first.Name != second.Name {
return false
}
if !portMapEquals(first.PortMap, second.PortMap) {
return false
}
return true
}
func portMapEquals(a, b map[string]uint32) bool {
if len(a) != len(b) {
return false
}
for k, v := range a {
if b[k] != v {
return false
}
}
return true
}
// GetLocalityLabelOrDefault returns the locality from the supplied label, or falls back to
// the supplied default locality if the supplied label is empty. Because Kubernetes
// labels don't support `/`, we replace "." with "/" in the supplied label as a workaround.
func GetLocalityLabelOrDefault(label, defaultLabel string) string {
if len(label) > 0 {
// if there are /'s present we don't need to replace
if strings.Contains(label, "/") {
return label
}
// replace "." with "/"
return strings.Replace(label, k8sSeparator, "/", -1)
}
return defaultLabel
}
// SplitLocalityLabel splits a locality label into region, zone and subzone strings.
func SplitLocalityLabel(locality string) (region, zone, subzone string) {
items := strings.Split(locality, "/")
switch len(items) {
case 1:
return items[0], "", ""
case 2:
return items[0], items[1], ""
default:
return items[0], items[1], items[2]
}
}
// Locality information for an IstioEndpoint
type Locality struct {
// Label for locality on the endpoint. This is a "/" separated string.
Label string
// ClusterID where the endpoint is located
ClusterID string
}
// IstioEndpoint defines a network address (IP:port) associated with an instance of the
// service. A service has one or more instances each running in a
// container/VM/pod. If a service has multiple ports, then the same
// instance IP is expected to be listening on multiple ports (one per each
// service port). Note that the port associated with an instance does not
// have to be the same as the port associated with the service. Depending
// on the network setup (NAT, overlays), this could vary.
//
// For e.g., if catalog.mystore.com is accessible through port 80 and 8080,
// and it maps to an instance with IP 172.16.0.1, such that connections to
// port 80 are forwarded to port 55446, and connections to port 8080 are
// forwarded to port 33333,
//
// then internally, we have two endpoint structs for the
// service catalog.mystore.com
// --> 172.16.0.1:55446 (with ServicePort pointing to 80) and
// --> 172.16.0.1:33333 (with ServicePort pointing to 8080)
//
// TODO: Investigate removing ServiceInstance entirely.
type IstioEndpoint struct {
// Labels points to the workload or deployment labels.
Labels labels.Instance
// Address is the address of the endpoint, using envoy proto.
Address string
// ServicePortName tracks the name of the port, this is used to select the IstioEndpoint by service port.
ServicePortName string
// EnvoyEndpoint is a cached LbEndpoint, converted from the data, to
// avoid recomputation
EnvoyEndpoint *endpoint.LbEndpoint
// ServiceAccount holds the associated service account.
ServiceAccount string
// Network holds the network where this endpoint is present
Network string
// The locality where the endpoint is present.
Locality Locality
// EndpointPort is the port where the workload is listening, can be different
// from the service port.
EndpointPort uint32
// The load balancing weight associated with this endpoint.
LbWeight uint32
// TLSMode endpoint is injected with istio sidecar and ready to configure Istio mTLS
TLSMode string
// Namespace that this endpoint belongs to. This is for telemetry purpose.
Namespace string
// Name of the workload that this endpoint belongs to. This is for telemetry purpose.
WorkloadName string
// Specifies the hostname of the Pod, empty for vm workload.
HostName string
// If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>".
SubDomain string
// The ingress tunnel supportability of this endpoint.
// If this endpoint sidecar proxy does not support h2 tunnel, this endpoint will not show up in the EDS clusters
// which are generated for h2 tunnel.
TunnelAbility networking.TunnelAbility
}
// ServiceAttributes represents a group of custom attributes of the service.
type ServiceAttributes struct {
// ServiceRegistry indicates the backing service registry system where this service
// was sourced from.
// TODO: move the ServiceRegistry type from platform.go to model
ServiceRegistry string
// Name is "destination.service.name" attribute
Name string
// Namespace is "destination.service.namespace" attribute
Namespace string
// Labels applied to the service
Labels map[string]string
// UID is "destination.service.uid" attribute
UID string
// ExportTo defines the visibility of Service in
// a namespace when the namespace is imported.
ExportTo map[visibility.Instance]bool
// LabelSelectors are the labels used by the service to select workloads.
// Applicable to both Kubernetes and ServiceEntries.
LabelSelectors map[string]string
// For Kubernetes platform
// ClusterExternalAddresses is a mapping between a cluster name and the external
// address(es) to access the service from outside the cluster.
// Used by the aggregator to aggregate the Attributes.ClusterExternalAddresses
// for clusters where the service resides
ClusterExternalAddresses map[string][]string
// ClusterExternalPorts is a mapping between a cluster name and the service port
// to node port mappings for a given service. When accessing the service via
// node port IPs, we need to use the kubernetes assigned node ports of the service
// The port that the user provides in the meshNetworks config is the service port.
// We translate that to the appropriate node port here.
ClusterExternalPorts map[string]map[uint32]uint32
}
// ServiceDiscovery enumerates Istio service instances.
// nolint: lll
type ServiceDiscovery interface {
// Services list declarations of all services in the system
Services() ([]*Service, error)
// GetService retrieves a service by host name if it exists
GetService(hostname host.Name) (*Service, error)
// InstancesByPort retrieves instances for a service on the given ports with labels that match
// any of the supplied labels. All instances match an empty tag list.
//
// For example, consider an example of catalog.mystore.com:
// Instances(catalog.myservice.com, 80) ->
// --> IstioEndpoint(172.16.0.1:8888), Service(catalog.myservice.com), Labels(foo=bar)
// --> IstioEndpoint(172.16.0.2:8888), Service(catalog.myservice.com), Labels(foo=bar)
// --> IstioEndpoint(172.16.0.3:8888), Service(catalog.myservice.com), Labels(kitty=cat)
// --> IstioEndpoint(172.16.0.4:8888), Service(catalog.myservice.com), Labels(kitty=cat)
//
// Calling Instances with specific labels returns a trimmed list.
// e.g., Instances(catalog.myservice.com, 80, foo=bar) ->
// --> IstioEndpoint(172.16.0.1:8888), Service(catalog.myservice.com), Labels(foo=bar)
// --> IstioEndpoint(172.16.0.2:8888), Service(catalog.myservice.com), Labels(foo=bar)
//
// Similar concepts apply for calling this function with a specific
// port, hostname and labels.
//
// Introduced in Istio 0.8. It is only called with 1 port.
// CDS (clusters.go) calls it for building 'dnslb' type clusters.
// EDS calls it for building the endpoints result.
// Consult istio-dev before using this for anything else (except debugging/tools)
InstancesByPort(svc *Service, servicePort int, labels labels.Collection) []*ServiceInstance
// GetProxyServiceInstances returns the service instances that co-located with a given Proxy
//
// Co-located generally means running in the same network namespace and security context.
//
// A Proxy operating as a Sidecar will return a non-empty slice. A stand-alone Proxy
// will return an empty slice.
//
// There are two reasons why this returns multiple ServiceInstances instead of one:
// - A ServiceInstance has a single IstioEndpoint which has a single Port. But a Service
// may have many ports. So a workload implementing such a Service would need
// multiple ServiceInstances, one for each port.
// - A single workload may implement multiple logical Services.
//
// In the second case, multiple services may be implemented by the same physical port number,
// though with a different ServicePort and IstioEndpoint for each. If any of these overlapping
// services are not HTTP or H2-based, behavior is undefined, since the listener may not be able to
// determine the intended destination of a connection without a Host header on the request.
GetProxyServiceInstances(*Proxy) []*ServiceInstance
GetProxyWorkloadLabels(*Proxy) labels.Collection
// GetIstioServiceAccounts returns a list of service accounts looked up from
// the specified service hostname and ports.
// Deprecated - service account tracking moved to XdsServer, incremental.
GetIstioServiceAccounts(svc *Service, ports []int) []string
// NetworkGateways returns a map of network name to Gateways that can be used to access that network.
NetworkGateways() map[string][]*Gateway
}
// GetNames returns port names
func (ports PortList) GetNames() []string {
names := make([]string, 0, len(ports))
for _, port := range ports {
names = append(names, port.Name)
}
return names
}
// Get retrieves a port declaration by name
func (ports PortList) Get(name string) (*Port, bool) {
for _, port := range ports {
if port.Name == name {
return port, true
}
}
return nil, false
}
// GetByPort retrieves a port declaration by port value
func (ports PortList) GetByPort(num int) (*Port, bool) {
for _, port := range ports {
if port.Port == num && port.Protocol != protocol.UDP {
return port, true
}
}
return nil, false
}
// External predicate checks whether the service is external
func (s *Service) External() bool {
return s.MeshExternal
}
// BuildSubsetKey generates a unique string referencing service instances for a given service name, a subset and a port.
// The proxy queries Pilot with this key to obtain the list of instances in a subset.
func BuildSubsetKey(direction TrafficDirection, subsetName string, hostname host.Name, port int) string {
return string(direction) + "|" + strconv.Itoa(port) + "|" + subsetName + "|" + string(hostname)
}
// BuildInboundSubsetKey generates a unique string referencing service instances with port.
func BuildInboundSubsetKey(port int) string {
return BuildSubsetKey(TrafficDirectionInbound, "", "", port)
}
// BuildDNSSrvSubsetKey generates a unique string referencing service instances for a given service name, a subset and a port.
// The proxy queries Pilot with this key to obtain the list of instances in a subset.
// This is used only for the SNI-DNAT router. Do not use for other purposes.
// The DNS Srv format of the cluster is also used as the default SNI string for Istio mTLS connections
func BuildDNSSrvSubsetKey(direction TrafficDirection, subsetName string, hostname host.Name, port int) string {
return string(direction) + "_." + strconv.Itoa(port) + "_." + subsetName + "_." + string(hostname)
}
// IsValidSubsetKey checks if a string is valid for subset key parsing.
func IsValidSubsetKey(s string) bool {
return strings.Count(s, "|") == 3
}
// ParseSubsetKey is the inverse of the BuildSubsetKey method
func ParseSubsetKey(s string) (direction TrafficDirection, subsetName string, hostname host.Name, port int) {
var parts []string
dnsSrvMode := false
// This could be the DNS srv form of the cluster that uses outbound_.port_.subset_.hostname
// Since we do not want every callsite to implement the logic to differentiate between the two forms
// we add an alternate parser here.
if strings.HasPrefix(s, trafficDirectionOutboundSrvPrefix) ||
strings.HasPrefix(s, trafficDirectionInboundSrvPrefix) {
parts = strings.SplitN(s, ".", 4)
dnsSrvMode = true
} else {
parts = strings.Split(s, "|")
}
if len(parts) < 4 {
return
}
direction = TrafficDirection(strings.TrimSuffix(parts[0], "_"))
port, _ = strconv.Atoi(strings.TrimSuffix(parts[1], "_"))
subsetName = parts[2]
if dnsSrvMode {
subsetName = strings.TrimSuffix(parts[2], "_")
}
hostname = host.Name(parts[3])
return
}
// GetServiceAddressForProxy returns a Service's IP address specific to the cluster where the node resides
func (s *Service) GetServiceAddressForProxy(node *Proxy, push *PushContext) string {
if node.Metadata != nil && node.Metadata.ClusterID != "" && push.ServiceIndex.ClusterVIPs[s][node.Metadata.ClusterID] != "" {
return push.ServiceIndex.ClusterVIPs[s][node.Metadata.ClusterID]
}
if node.Metadata != nil && node.Metadata.DNSCapture && node.Metadata.DNSAutoAllocate &&
s.Address == constants.UnspecifiedIP && s.AutoAllocatedAddress != "" {
return s.AutoAllocatedAddress
}
return s.Address
}
// GetTLSModeFromEndpointLabels returns the value of the label
// security.istio.io/tlsMode if set. Do not return Enums or constants
// from this function as users could provide values other than istio/disabled
// and apply custom transport socket matchers here.
func GetTLSModeFromEndpointLabels(labels map[string]string) string {
if labels != nil {
if val, exists := labels[label.SecurityTlsMode.Name]; exists {
return val
}
}
return DisabledTLSModeLabel
}
// GetServiceAccounts returns aggregated list of service accounts of Service plus its instances.
func GetServiceAccounts(svc *Service, ports []int, discovery ServiceDiscovery) []string {
sa := sets.Set{}
instances := make([]*ServiceInstance, 0)
// Get the service accounts running service within Kubernetes. This is reflected by the pods that
// the service is deployed on, and the service accounts of the pods.
for _, port := range ports {
svcInstances := discovery.InstancesByPort(svc, port, labels.Collection{})
instances = append(instances, svcInstances...)
}
for _, si := range instances {
if si.Endpoint.ServiceAccount != "" {
sa.Insert(si.Endpoint.ServiceAccount)
}
}
sa.Insert(svc.ServiceAccounts...)
return sa.UnsortedList()
}
// DeepCopy creates a clone of Service.
// TODO : See if there is any efficient alternative to this function - copystructure can not be used as is because
// Service has sync.RWMutex that can not be copied.
func (s *Service) DeepCopy() *Service {
attrs := copyInternal(s.Attributes)
ports := copyInternal(s.Ports)
accounts := copyInternal(s.ServiceAccounts)
clusterVIPs := copyInternal(s.ClusterVIPs)
return &Service{
Attributes: attrs.(ServiceAttributes),
Ports: ports.(PortList),
ServiceAccounts: accounts.([]string),
CreationTime: s.CreationTime,
Hostname: s.Hostname,
Address: s.Address,
ClusterVIPs: clusterVIPs.(map[string]string),
Resolution: s.Resolution,
MeshExternal: s.MeshExternal,
}
}
// DeepCopy creates a clone of IstioEndpoint.
func (ep *IstioEndpoint) DeepCopy() *IstioEndpoint {
return copyInternal(ep).(*IstioEndpoint)
}
func copyInternal(v interface{}) interface{} {
copied, err := copystructure.Copy(v)
if err != nil {
// There are 2 locations where errors are generated in copystructure.Copy:
// * The reflection walk over the structure fails, which should never happen
// * A configurable copy function returns an error. This is only used for copying times, which never returns an error.
// Therefore, this should never happen
panic(err)
}
return copied
}