forked from maistra/istio
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[federation] Federation fixes and improvements
MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ```
- Loading branch information
Showing
91 changed files
with
6,278 additions
and
2,896 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
134 changes: 134 additions & 0 deletions
134
manifests/charts/base/crds/federation.maistra.io_importedservicesets.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,134 @@ | ||
|
|
||
| --- | ||
| apiVersion: apiextensions.k8s.io/v1beta1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| annotations: | ||
| controller-gen.kubebuilder.io/version: v0.4.1 | ||
| creationTimestamp: null | ||
| name: importedservicesets.federation.maistra.io | ||
| spec: | ||
| group: federation.maistra.io | ||
| names: | ||
| kind: ImportedServiceSet | ||
| listKind: ImportedServiceSetList | ||
| plural: importedservicesets | ||
| singular: importedserviceset | ||
| preserveUnknownFields: false | ||
| scope: Namespaced | ||
| subresources: | ||
| status: {} | ||
| validation: | ||
| openAPIV3Schema: | ||
| description: ImportedServiceSet is the Schema for configuring imported services. The name of the ImportedServiceSet resource must match the name of a ServiceMeshPeer resource defining the remote mesh from which the services will be imported. | ||
| properties: | ||
| apiVersion: | ||
| description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
| type: string | ||
| kind: | ||
| description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
| type: string | ||
| metadata: | ||
| type: object | ||
| spec: | ||
| description: Spec defines rules for matching services to be imported. | ||
| properties: | ||
| domainSuffix: | ||
| description: 'DomainSuffix specifies the domain suffix to be applies to imported services. If no domain suffix is specified, imported services will be named as follows: <imported-name>.<imported-namespace>.svc.<mesh-name>-imports.local If a domain suffix is specified, imported services will be named as follows: <imported-name>.<imported-namespace>.<domain-suffix>' | ||
| type: string | ||
| importRules: | ||
| description: ImportRules are the rules that determine which services are imported to the mesh. The list is processed in order and the first spec in the list that applies to a service is the one that will be applied. This allows more specific selectors to be placed before more general selectors. | ||
| items: | ||
| properties: | ||
| domainSuffix: | ||
| description: DomainSuffix applies the specified suffix to services imported by this rule. The behavior is identical to that of ImportedServiceSetSpec.DomainSuffix. | ||
| type: string | ||
| importAsLocal: | ||
| description: ImportAsLocal imports the service as a local service in the mesh. For example, if an exported service, foo/bar is imported as some-ns/service, the service will be imported as service.some-ns.svc.cluster.local in the some-ns namespace. If a service of this name already exists in the mesh, the imported service's endpoints will be aggregated with any other workloads associated with the service. This setting overrides DomainSuffix. | ||
| type: boolean | ||
| nameSelector: | ||
| description: NameSelector provides a simple name matcher for importing services in the mesh. | ||
| properties: | ||
| alias: | ||
| properties: | ||
| name: | ||
| type: string | ||
| namespace: | ||
| type: string | ||
| type: object | ||
| name: | ||
| type: string | ||
| namespace: | ||
| type: string | ||
| type: object | ||
| type: | ||
| description: Type of rule. Only Name type is supported. | ||
| type: string | ||
| required: | ||
| - type | ||
| type: object | ||
| type: array | ||
| locality: | ||
| description: Locality within which imported services should be associated. | ||
| properties: | ||
| region: | ||
| description: Region within which imported services are located. | ||
| type: string | ||
| subzone: | ||
| description: Subzone within which imported services are located. If Subzone is specified, Zone must also be specified. | ||
| type: string | ||
| zone: | ||
| description: Zone within which imported services are located. If Zone is specified, Region must also be specified. | ||
| type: string | ||
| type: object | ||
| type: object | ||
| status: | ||
| properties: | ||
| importedServices: | ||
| description: Imports provides details about the services imported by this mesh. | ||
| items: | ||
| description: PeerServiceMapping represents the name mapping between an exported service and its local counterpart. | ||
| properties: | ||
| exportedName: | ||
| description: ExportedName represents the fully qualified domain name (FQDN) of an exported service. For an exporting mesh, this is the name that is exported to the remote mesh. For an importing mesh, this would be the name of the service exported by the remote mesh. | ||
| type: string | ||
| localService: | ||
| description: LocalService represents the service in the local (i.e. this) mesh. For an exporting mesh, this would be the service being exported. For an importing mesh, this would be the imported service. | ||
| properties: | ||
| hostname: | ||
| description: Hostname represents fully qualified domain name (FQDN) used to access the service. | ||
| type: string | ||
| name: | ||
| description: Name represents the simple name of the service, e.g. the metadata.name field of a kubernetes Service. | ||
| type: string | ||
| namespace: | ||
| description: Namespace represents the namespace within which the service resides. | ||
| type: string | ||
| required: | ||
| - hostname | ||
| - name | ||
| - namespace | ||
| type: object | ||
| required: | ||
| - exportedName | ||
| - localService | ||
| type: object | ||
| type: array | ||
| x-kubernetes-list-map-keys: | ||
| - exportedName | ||
| x-kubernetes-list-type: map | ||
| required: | ||
| - importedServices | ||
| type: object | ||
| type: object | ||
| version: v1 | ||
| versions: | ||
| - name: v1 | ||
| served: true | ||
| storage: true | ||
| status: | ||
| acceptedNames: | ||
| kind: "" | ||
| plural: "" | ||
| conditions: [] | ||
| storedVersions: [] |
Oops, something went wrong.