New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ambient upstream: upstream XDS codegen and some misc #43422
ambient upstream: upstream XDS codegen and some misc #43422
Conversation
/test ? |
@howardjohn: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test integ-ambient |
// Setup inbound clusters | ||
inboundPatcher := clusterPatcher{efw: envoyFilterPatches, pctx: networking.EnvoyFilter_SIDECAR_INBOUND} | ||
clusters = append(clusters, configgen.buildInboundClusters(cb, proxy, instances, inboundPatcher)...) | ||
clusters = append(clusters, configgen.buildInboundHBONEClusters(cb, proxy, instances)...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: this looks suspicious but we check EnableHBONE in buildInboundHBONEClusters so it does NOT impact non-HBONE users
/retest |
/test integ-ambient |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LG, not find a risky point.
@@ -82,6 +82,7 @@ func (s *Server) initKubeRegistry(args *PilotArgs) (err error) { | |||
args.RegistryOptions.ClusterRegistriesNamespace, | |||
args.RegistryOptions.KubeOptions, | |||
s.serviceEntryController, | |||
s.configController, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mark to check its usage
@@ -40,6 +40,8 @@ import ( | |||
|
|||
func TestConfigureIstioGateway(t *testing.T) { | |||
test.SetForTest(t, &features.EnableAmbientControllers, true) | |||
// Recompute with ambient enabled | |||
classInfos = getClassInfos() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is needed per the comment to rebuild. Since SetForTest is run after it is computed
ts := c.TransportSocket | ||
c.TransportSocket = nil | ||
|
||
c.TransportSocketMatches = []*cluster.Cluster_TransportSocketMatch{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
abstract like HboneOrPlaintextSocket
l := builder.getListeners() | ||
if builder.node.EnableHBONE() { | ||
if builder.node.IsAmbient() { | ||
l = append(l, outboundTunnelListener(builder.push, builder.node)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move this after L107?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to finish patch listener before we do this. May be we should add buildWaypointListeners that calls buildSidecarListeners and does this stuff
if lb.node.Type == model.Router { | ||
return lb.gatewayListeners | ||
} | ||
nInbound, nOutbound := len(lb.inboundListeners), len(lb.outboundListeners) | ||
nHTTPProxy, nVirtual := 0, 0 | ||
if lb.httpProxyListener != nil { | ||
nHTTPProxy = 1 | ||
} | ||
if lb.virtualOutboundListener != nil { | ||
nVirtual = 1 | ||
} | ||
|
||
listeners := make([]*listener.Listener, 0, nListener) | ||
listeners = append(listeners, lb.outboundListeners...) | ||
if lb.httpProxyListener != nil { | ||
listeners = append(listeners, lb.httpProxyListener) | ||
} | ||
if lb.virtualOutboundListener != nil { | ||
listeners = append(listeners, lb.virtualOutboundListener) | ||
} | ||
listeners = append(listeners, lb.inboundListeners...) | ||
nListener := nInbound + nOutbound + nHTTPProxy + nVirtual | ||
|
||
log.Debugf("Build %d listeners for node %s including %d outbound, %d http proxy, "+ | ||
"%d virtual outbound", | ||
nListener, | ||
lb.node.ID, | ||
nOutbound, | ||
nHTTPProxy, | ||
nVirtual, | ||
) | ||
return listeners | ||
listeners := make([]*listener.Listener, 0, nListener) | ||
listeners = append(listeners, lb.outboundListeners...) | ||
if lb.httpProxyListener != nil { | ||
listeners = append(listeners, lb.httpProxyListener) | ||
} | ||
|
||
return lb.gatewayListeners | ||
if lb.virtualOutboundListener != nil { | ||
listeners = append(listeners, lb.virtualOutboundListener) | ||
} | ||
listeners = append(listeners, lb.inboundListeners...) | ||
|
||
log.Debugf("Build %d listeners for node %s including %d outbound, %d http proxy, "+ | ||
"%d virtual outbound", | ||
nListener, | ||
lb.node.ID, | ||
nOutbound, | ||
nHTTPProxy, | ||
nVirtual, | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where is the func updated? Just a refactoring router first?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes
pilot/pkg/xds/endpoint_builder.go
Outdated
workloads := findWaypoints(b.push, e) | ||
if len(workloads) > 0 { | ||
// TODO: load balance | ||
tunnelAddress = workloads[0].String() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this translate multi eps with same waytpoint address?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same waypoint yes, but the endpoints are not identical, so we cannot merge them and add weight
. Each one has two addresses associated: the waypoint, and the destination (set in :authority
) we want.
pilot/pkg/xds/endpoint_builder.go
Outdated
@@ -425,10 +460,54 @@ func buildEnvoyLbEndpoint(proxyless bool, e *model.IstioEndpoint) *endpoint.LbEn | |||
}, | |||
} | |||
} | |||
if dir == model.TrafficDirectionInboundVIP { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to move these to a waypoint endpoint builder like listener and cluster?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be a bit hard since this buildEnvoyLbEndpoint is a common function used by all types, we just have a small bit of custom logic here
cc @kyessenov to take a look at the waypoint builder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally Looks great. Nicely done. Did not fully review the waypoint* files. We can do once this is merged. Left some comments. None of them are blockers.
@@ -445,6 +449,7 @@ func (cb *ClusterBuilder) buildInboundClusterForPortOrUDS(clusterPort int, bind | |||
} | |||
localCluster := cb.buildDefaultCluster(clusterName, clusterType, localityLbEndpoints, | |||
model.TrafficDirectionInbound, instance.ServicePort, instance.Service, allInstance) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: remove
model.TrafficDirectionInbound, &port, nil, nil) | ||
|
||
// Ensure VIP cluster has services metadata for stats filter usage | ||
im := getOrCreateIstioMetadata(localCluster.cluster) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be enabled only when telemetry is on?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TBH, not sure its going to matter. The waypoint XDS size is going to be orders of magnitude smaller than sidecars, so a bit of metadata here and there may be fine. We can followup as needed though, telemetry for waypoint is still under construction
l := builder.getListeners() | ||
if builder.node.EnableHBONE() { | ||
if builder.node.IsAmbient() { | ||
l = append(l, outboundTunnelListener(builder.push, builder.node)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to finish patch listener before we do this. May be we should add buildWaypointListeners that calls buildSidecarListeners and does this stuff
lb.inboundListeners = lb.buildInboundListeners() | ||
if lb.node.EnableHBONE() { | ||
lb.inboundListeners = append(lb.inboundListeners, lb.buildInboundHBONEListeners()...) | ||
if lb.node.IsWaypointProxy() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we need HBone stuff for waypoint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do but its in buildWaypointInbound
. We have recently improved the HBONE impl for waypoint, so its a bit different than the sidecar one. There is work in #42789 to bring these in alignment which may clean this up
pilot/pkg/xds/endpoint_builder.go
Outdated
supportsTunnel = false | ||
} | ||
|
||
// For outbound case, we selectively add tunnel info if the other side supports the tunnel | ||
if supportsTunnel { | ||
if dir != model.TrafficDirectionInboundVIP && supportsTunnel { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
parse dir only if supportsTunnel is true and move this inside if supportsTunnel?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We actually need part of it even with !supportsTunnel. Let me add dir
to endpointBuilder so we don't re-parse it and clean up this logic.
pilot/pkg/xds/endpoint_builder.go
Outdated
if supportsTunnel { | ||
if dir != model.TrafficDirectionInboundVIP && supportsTunnel { | ||
// Support connecting to server side waypoint proxy, if the destination has one. This is for sidecars and ingress. | ||
if dir == model.TrafficDirectionOutbound && !b.proxy.IsWaypointProxy() && !b.proxy.IsAmbient() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this logic be enabled only when ambient mesh is enabled? Do we have such gloabl flag? findingWaypoints etc are not needed if ambient mesh is not enabled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is already the case :
if !b.proxy.EnableHBONE() {
supportsTunnel = false
}
which is controlled by bot a global flag AND a per-proxy flag enabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But can't HBONE be enabled independently?
metadata: | ||
labels: | ||
gateway.istio.io/managed: istio.io-mesh-controller | ||
name: namespace-istio-waypoint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a TODO list of bug to track reviewing/changing all user-visible names ?
I don't want to delay this PR - it is a merge - but the review criteria in an experimental branch is slightly different from the review on main - that's why it's experimental. I expect code has been tested and reviewed for functionality, and it is off by default - but we got into a lot of problems by
reviewing APIs and names as 'experimental/alpha' and then having to move them to beta/stable
due to backwards compat.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes definitely agree. Opened #43437 to track
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also to confirm - now or in future we will allow the user to create a ServiceAccount with the same name and additional annotations ? And we won't add or merge this on top ?
Can you at least add a TODO: that this needs to be documented and discussed. It has to be documented since users may need to add annotations ( for example to allow waypoint to get 3p service account tokens) and used in RBAC rules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The plan is if the resource already exists (without gateway.istio.io/managed
) we will not touch it, so they can own it themselves. Note this isn't implemented but tracked in #43439
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note since we use Apply they can add annotations and we won't revert them btw. But it is useful to have them be able to fully own it I think.
@hzxuzhonghu I recently changed waypoint xDS and it's fine for now. We can iterate on the VirtualService translation for it later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks safe to me.
/retest |
/test integ-ambient |
We will need to enable independently - for VMs and other environments.
My understanding is that can be done by setting the ambient label on a
workload - i.e. a proxyless gRPC or VM or pod with 'native' or
sidecar-based ambient
will have the label and will get requests as hbone. I haven't tested this
- and we can add it later, but it is very important for 'other
environments' and migrations.
…On Fri, Feb 17, 2023 at 8:47 PM Rama Chavali ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In pilot/pkg/xds/endpoint_builder.go
<#43422 (comment)>:
> supportsTunnel = false
}
// For outbound case, we selectively add tunnel info if the other side supports the tunnel
- if supportsTunnel {
+ if dir != model.TrafficDirectionInboundVIP && supportsTunnel {
+ // Support connecting to server side waypoint proxy, if the destination has one. This is for sidecars and ingress.
+ if dir == model.TrafficDirectionOutbound && !b.proxy.IsWaypointProxy() && !b.proxy.IsAmbient() {
But can't HBONE be enabled independently?
—
Reply to this email directly, view it on GitHub
<#43422 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2TIKGVO6ZYZB4LIWZDWYBH5PANCNFSM6AAAAAAU63KNIE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
It does seem this PR has a big negative effect on the post-submit tests, noting that it did re-enable the ambient tests. |
ManagedGatewayLabel = "gateway.istio.io/managed" | ||
ManagedGatewayController = "istio.io-gateway-controller" | ||
ManagedGatewayMeshControllerLabel = "istio.io-mesh-controller" | ||
ManagedGatewayMeshController = "istio.io/mesh-controller" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, these constants should have comments, otherwise they are ambiguous to discern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make sense, i think these may even change
it's a tiny change we just need to build ztunnel in more cases. I'll fix when I'm back on Tuesday |
Closes #40879
This is the final ambient upstream PR. With this PR, ambient mesh will be fully runn-able from the master branch, a part of our regular CI/CD, release, etc. experimental-ambient branch will be deprecated and not used any longer.
This PR imports the final xDS changes, as well as some minor ports that slipped through the cracks in previous PRs.
Most of this PR is new XDS for waypoints. This code, of course, only applies to waypoints so it is off-by-default. There is some changes to sidecar HBONE as well, which is off by default already. There should be no changes for sidecar users; everything is off by default
Quoting from the issue: