Support define configscope for k8s service (#10598)

* Support define configscope for k8s service * use annotation to specify service config scope * update annotation * update annotation
istio · Dec 31, 2018 · fe94f7f · fe94f7f
1 parent 0ee930a
commit fe94f7f
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 9 deletions.
diff --git a/pilot/pkg/model/service.go b/pilot/pkg/model/service.go
@@ -35,6 +35,7 @@ import (
 
 	authn "istio.io/api/authentication/v1alpha1"
 	networking "istio.io/api/networking/v1alpha3"
+	"istio.io/istio/pkg/features/pilot"
 )
 
 // Hostname describes a (possibly wildcarded) hostname
@@ -360,12 +361,6 @@ type ServiceInstance struct {
 	ServiceAccount string          `json:"serviceaccount,omitempty"`
 }
 
-const (
-	// AZLabel indicates the region/zone of an instance. It is used if the native
-	// registry doesn't provide one.
-	AZLabel = "istio-az"
-)
-
 // GetLocality returns the availability zone from an instance.
 // - k8s: region/zone, extracted from node's failure-domain.beta.kubernetes.io/{region,zone}
 // - consul: defaults to 'instance.Datacenter'
@@ -375,7 +370,7 @@ func (si *ServiceInstance) GetLocality() string {
 	if si.Endpoint.Locality != "" {
 		return si.Endpoint.Locality
 	}
-	return si.Labels[AZLabel]
+	return si.Labels[pilot.AZLabel]
 }
 
 // IstioEndpoint has the information about a single address+port for a specific

diff --git a/pilot/pkg/serviceregistry/kube/conversion.go b/pilot/pkg/serviceregistry/kube/conversion.go
@@ -20,13 +20,14 @@ import (
 	"strconv"
 	"strings"
 
-	multierror "github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-multierror"
 	"k8s.io/api/core/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	networking "istio.io/api/networking/v1alpha3"
 	"istio.io/istio/pilot/pkg/model"
+	"istio.io/istio/pkg/features/pilot"
 )
 
 const (
@@ -88,6 +89,7 @@ func convertService(svc v1.Service, domainSuffix string) *model.Service {
 		ports = append(ports, convertPort(port))
 	}
 
+	configScope := networking.ConfigScope_PUBLIC
 	serviceaccounts := make([]string, 0)
 	if svc.Annotations != nil {
 		if svc.Annotations[CanonicalServiceAccountsAnnotation] != "" {
@@ -100,6 +102,9 @@ func convertService(svc v1.Service, domainSuffix string) *model.Service {
 				serviceaccounts = append(serviceaccounts, kubeToIstioServiceAccount(ksa, svc.Namespace, domainSuffix))
 			}
 		}
+		if svc.Labels[pilot.ServiceConfigScopeAnnotation] == networking.ConfigScope_name[int32(networking.ConfigScope_PRIVATE)] {
+			configScope = networking.ConfigScope_PRIVATE
+		}
 	}
 	sort.Sort(sort.StringSlice(serviceaccounts))
 
@@ -115,7 +120,7 @@ func convertService(svc v1.Service, domainSuffix string) *model.Service {
 			Name:        svc.Name,
 			Namespace:   svc.Namespace,
 			UID:         fmt.Sprintf("istio://%s/services/%s", svc.Namespace, svc.Name),
-			ConfigScope: networking.ConfigScope_PUBLIC,
+			ConfigScope: configScope,
 		},
 	}
 }

diff --git a/pkg/features/pilot/pilot.go b/pkg/features/pilot/pilot.go
@@ -81,4 +81,13 @@ const (
 	// set at injection time. When set, the Endpoints returned to a note and not on same network
 	// will be replaced with the gateway defined in the settings.
 	NodeMetadataNetwork = "NETWORK"
+
+	// AZLabel indicates the region/zone of an instance. It is used if the native
+	// registry doesn't provide one.
+	AZLabel = "istio-az"
+
+	// ServiceConfigScopeAnnotation configs the scope the service visible to.
+	//   "PUBLIC" which is the default, indicates it is reachable within the mesh
+	//   "PRIVATE" indicates it is reachable within its namespace
+	ServiceConfigScopeAnnotation = "networking.istio.io/configScope"
 )