ambient upstream: upstream XDS codegen and some misc

[howardjohn]

Closes #40879

This is the final ambient upstream PR. With this PR, ambient mesh will be fully runn-able from the master branch, a part of our regular CI/CD, release, etc. experimental-ambient branch will be deprecated and not used any longer.

This PR imports the final xDS changes, as well as some minor ports that slipped through the cracks in previous PRs.

Most of this PR is new XDS for waypoints. This code, of course, only applies to waypoints so it is off-by-default. There is some changes to sidecar HBONE as well, which is off by default already. There should be no changes for sidecar users; everything is off by default

Quoting from the issue:

Reviewer guide

It is suggested that reviewers treat these PRs differently than normal, as the code has already been reviewed. PRs should be thoroughly reviewed for risk to non-ambient users, ensuring any new/risky/expensive code is disabled by default. However, code quality comments, nit picks, or even bugs in ambient code should not block a merge; modifying these PRs will be high cost and lead to a 3-way drift from master, experimental-ambient, and the PR. Instead, these comments should be turned into issues to complete following the merge.

Release notes will not be added for any PR. Instead, they will be written holistically for the ambient feature in 1.18 at a later point.

[howardjohn]

/test ?

[istio-testing]

@howardjohn: The following commands are available to trigger required jobs:

• /test analyze-tests
• /test gencheck
• /test integ-ambient
• /test integ-basic-arm64
• /test integ-cni
• /test integ-distroless
• /test integ-ds
• /test integ-helm
• /test integ-ipv6
• /test integ-operator-controller
• /test integ-pilot
• /test integ-pilot-istiodremote
• /test integ-pilot-istiodremote-mc
• /test integ-pilot-multicluster
• /test integ-security
• /test integ-security-istiodremote
• /test integ-security-multicluster
• /test integ-telemetry
• /test integ-telemetry-istiodremote
• /test integ-telemetry-mc
• /test lint
• /test release-notes
• /test release-test
• /test unit-tests
• /test unit-tests-arm64

The following commands are available to trigger optional jobs:

• /test benchmark
• /test integ-assertion

Use /test all to run the following jobs that were automatically triggered:

• analyze-tests_istio
• gencheck_istio
• integ-basic-arm64_istio
• integ-cni_istio
• integ-distroless_istio
• integ-ds_istio
• integ-helm_istio
• integ-ipv6_istio
• integ-operator-controller_istio
• integ-pilot-istiodremote-mc_istio
• integ-pilot-istiodremote_istio
• integ-pilot-multicluster_istio
• integ-pilot_istio
• integ-security-istiodremote_istio
• integ-security-multicluster_istio
• integ-security_istio
• integ-telemetry-istiodremote_istio
• integ-telemetry-mc_istio
• integ-telemetry_istio
• lint_istio
• release-notes_istio
• release-test_istio
• unit-tests-arm64_istio
• unit-tests_istio

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[howardjohn]

/test integ-ambient

[howardjohn]

note: this looks suspicious but we check EnableHBONE in buildInboundHBONEClusters so it does NOT impact non-HBONE users

[howardjohn]

/retest

[howardjohn]

/test integ-ambient

[hzxuzhonghu]

cc @ramaraochavali @costinm @stevenctl

[hzxuzhonghu]

Generally LG, not find a risky point.

[hzxuzhonghu]

mark to check its usage

[hzxuzhonghu]

remove?

[howardjohn]

This is needed per the comment to rebuild. Since SetForTest is run after it is computed

[hzxuzhonghu]

abstract like HboneOrPlaintextSocket

[hzxuzhonghu]

move this after L107?

[ramaraochavali]

I think we need to finish patch listener before we do this. May be we should add buildWaypointListeners that calls buildSidecarListeners and does this stuff

[hzxuzhonghu]

where is the func updated? Just a refactoring router first?

[howardjohn]

Yes

[hzxuzhonghu]

Will this translate multi eps with same waytpoint address?

[howardjohn]

Same waypoint yes, but the endpoints are not identical, so we cannot merge them and add weight. Each one has two addresses associated: the waypoint, and the destination (set in :authority) we want.

[hzxuzhonghu]

Is it possible to move these to a waypoint endpoint builder like listener and cluster?

[howardjohn]

It may be a bit hard since this buildEnvoyLbEndpoint is a common function used by all types, we just have a small bit of custom logic here

[hzxuzhonghu]

cc @kyessenov to take a look at the waypoint builder

[ramaraochavali]

Generally Looks great. Nicely done. Did not fully review the waypoint* files. We can do once this is merged. Left some comments. None of them are blockers.

[ramaraochavali]

nit: remove

[ramaraochavali]

Should this be enabled only when telemetry is on?

[howardjohn]

TBH, not sure its going to matter. The waypoint XDS size is going to be orders of magnitude smaller than sidecars, so a bit of metadata here and there may be fine. We can followup as needed though, telemetry for waypoint is still under construction

[ramaraochavali]

I think we need to finish patch listener before we do this. May be we should add buildWaypointListeners that calls buildSidecarListeners and does this stuff

[ramaraochavali]

Don't we need HBone stuff for waypoint?

[howardjohn]

We do but its in buildWaypointInbound. We have recently improved the HBONE impl for waypoint, so its a bit different than the sidecar one. There is work in #42789 to bring these in alignment which may clean this up

[ramaraochavali]

parse dir only if supportsTunnel is true and move this inside if supportsTunnel?

[howardjohn]

We actually need part of it even with !supportsTunnel. Let me add dir to endpointBuilder so we don't re-parse it and clean up this logic.

[ramaraochavali]

Can this logic be enabled only when ambient mesh is enabled? Do we have such gloabl flag? findingWaypoints etc are not needed if ambient mesh is not enabled?

[howardjohn]

This is already the case :

	if !b.proxy.EnableHBONE() {
		supportsTunnel = false
	}

which is controlled by bot a global flag AND a per-proxy flag enabled

[ramaraochavali]

But can't HBONE be enabled independently?

[costinm]

Can we add a TODO list of bug to track reviewing/changing all user-visible names ?

I don't want to delay this PR - it is a merge - but the review criteria in an experimental branch is slightly different from the review on main - that's why it's experimental. I expect code has been tested and reviewed for functionality, and it is off by default - but we got into a lot of problems by
reviewing APIs and names as 'experimental/alpha' and then having to move them to beta/stable
due to backwards compat.

[howardjohn]

Yes definitely agree. Opened #43437 to track

[costinm]

Also to confirm - now or in future we will allow the user to create a ServiceAccount with the same name and additional annotations ? And we won't add or merge this on top ?

Can you at least add a TODO: that this needs to be documented and discussed. It has to be documented since users may need to add annotations ( for example to allow waypoint to get 3p service account tokens) and used in RBAC rules.

[howardjohn]

The plan is if the resource already exists (without gateway.istio.io/managed) we will not touch it, so they can own it themselves. Note this isn't implemented but tracked in #43439

[howardjohn]

Note since we use Apply they can add annotations and we won't revert them btw. But it is useful to have them be able to fully own it I think.

[kyessenov]

@hzxuzhonghu I recently changed waypoint xDS and it's fine for now. We can iterate on the VirtualService translation for it later.

[stevenctl]

Looks safe to me.

[howardjohn]

/retest

[howardjohn]

/test integ-ambient

[costinm]

We will need to enable independently - for VMs and other environments. My understanding is that can be done by setting the ambient label on a workload - i.e. a proxyless gRPC or VM or pod with 'native' or sidecar-based ambient will have the label and will get requests as hbone. I haven't tested this - and we can add it later, but it is very important for 'other environments' and migrations.

…

On Fri, Feb 17, 2023 at 8:47 PM Rama Chavali ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In pilot/pkg/xds/endpoint_builder.go <#43422 (comment)>: > supportsTunnel = false } // For outbound case, we selectively add tunnel info if the other side supports the tunnel - if supportsTunnel { + if dir != model.TrafficDirectionInboundVIP && supportsTunnel { + // Support connecting to server side waypoint proxy, if the destination has one. This is for sidecars and ingress. + if dir == model.TrafficDirectionOutbound && !b.proxy.IsWaypointProxy() && !b.proxy.IsAmbient() { But can't HBONE be enabled independently? — Reply to this email directly, view it on GitHub <#43422 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAUR2TIKGVO6ZYZB4LIWZDWYBH5PANCNFSM6AAAAAAU63KNIE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[ericvn]

It does seem this PR has a big negative effect on the post-submit tests, noting that it did re-enable the ambient tests.

[shashankram]

In general, these constants should have comments, otherwise they are ambiguous to discern.

[hzxuzhonghu]

make sense, i think these may even change

[howardjohn]

It does seem this PR has a big negative effect on the post-submit tests, noting that it did re-enable the ambient tests.

it's a tiny change we just need to build ztunnel in more cases. I'll fix when I'm back on Tuesday