From fe94f7f7f4104928c672a83e980d5a43a345f770 Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Tue, 1 Jan 2019 04:52:41 +0800 Subject: [PATCH] Support define configscope for k8s service (#10598) * Support define configscope for k8s service * use annotation to specify service config scope * update annotation * update annotation --- pilot/pkg/model/service.go | 9 ++------- pilot/pkg/serviceregistry/kube/conversion.go | 9 +++++++-- pkg/features/pilot/pilot.go | 9 +++++++++ 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/pilot/pkg/model/service.go b/pilot/pkg/model/service.go index 01db25b16b0f..e2f6c42271fa 100644 --- a/pilot/pkg/model/service.go +++ b/pilot/pkg/model/service.go @@ -35,6 +35,7 @@ import ( authn "istio.io/api/authentication/v1alpha1" networking "istio.io/api/networking/v1alpha3" + "istio.io/istio/pkg/features/pilot" ) // Hostname describes a (possibly wildcarded) hostname @@ -360,12 +361,6 @@ type ServiceInstance struct { ServiceAccount string `json:"serviceaccount,omitempty"` } -const ( - // AZLabel indicates the region/zone of an instance. It is used if the native - // registry doesn't provide one. - AZLabel = "istio-az" -) - // GetLocality returns the availability zone from an instance. // - k8s: region/zone, extracted from node's failure-domain.beta.kubernetes.io/{region,zone} // - consul: defaults to 'instance.Datacenter' @@ -375,7 +370,7 @@ func (si *ServiceInstance) GetLocality() string { if si.Endpoint.Locality != "" { return si.Endpoint.Locality } - return si.Labels[AZLabel] + return si.Labels[pilot.AZLabel] } // IstioEndpoint has the information about a single address+port for a specific diff --git a/pilot/pkg/serviceregistry/kube/conversion.go b/pilot/pkg/serviceregistry/kube/conversion.go index 17f50aa68031..8a929bcfeb0d 100644 --- a/pilot/pkg/serviceregistry/kube/conversion.go +++ b/pilot/pkg/serviceregistry/kube/conversion.go @@ -20,13 +20,14 @@ import ( "strconv" "strings" - multierror "github.com/hashicorp/go-multierror" + "github.com/hashicorp/go-multierror" "k8s.io/api/core/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" networking "istio.io/api/networking/v1alpha3" "istio.io/istio/pilot/pkg/model" + "istio.io/istio/pkg/features/pilot" ) const ( @@ -88,6 +89,7 @@ func convertService(svc v1.Service, domainSuffix string) *model.Service { ports = append(ports, convertPort(port)) } + configScope := networking.ConfigScope_PUBLIC serviceaccounts := make([]string, 0) if svc.Annotations != nil { if svc.Annotations[CanonicalServiceAccountsAnnotation] != "" { @@ -100,6 +102,9 @@ func convertService(svc v1.Service, domainSuffix string) *model.Service { serviceaccounts = append(serviceaccounts, kubeToIstioServiceAccount(ksa, svc.Namespace, domainSuffix)) } } + if svc.Labels[pilot.ServiceConfigScopeAnnotation] == networking.ConfigScope_name[int32(networking.ConfigScope_PRIVATE)] { + configScope = networking.ConfigScope_PRIVATE + } } sort.Sort(sort.StringSlice(serviceaccounts)) @@ -115,7 +120,7 @@ func convertService(svc v1.Service, domainSuffix string) *model.Service { Name: svc.Name, Namespace: svc.Namespace, UID: fmt.Sprintf("istio://%s/services/%s", svc.Namespace, svc.Name), - ConfigScope: networking.ConfigScope_PUBLIC, + ConfigScope: configScope, }, } } diff --git a/pkg/features/pilot/pilot.go b/pkg/features/pilot/pilot.go index 59b0035be7c8..8ed8dc0d671a 100644 --- a/pkg/features/pilot/pilot.go +++ b/pkg/features/pilot/pilot.go @@ -81,4 +81,13 @@ const ( // set at injection time. When set, the Endpoints returned to a note and not on same network // will be replaced with the gateway defined in the settings. NodeMetadataNetwork = "NETWORK" + + // AZLabel indicates the region/zone of an instance. It is used if the native + // registry doesn't provide one. + AZLabel = "istio-az" + + // ServiceConfigScopeAnnotation configs the scope the service visible to. + // "PUBLIC" which is the default, indicates it is reachable within the mesh + // "PRIVATE" indicates it is reachable within its namespace + ServiceConfigScopeAnnotation = "networking.istio.io/configScope" )