Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added cross-namespace validation support for Sidecar's egress listener host, considering exported ServiceEntries. #4387

Merged
merged 1 commit into from Oct 21, 2021
Merged

Added cross-namespace validation support for Sidecar's egress listener host, considering exported ServiceEntries. #4387

merged 1 commit into from Oct 21, 2021

Conversation

hhovsepy
Copy link
Contributor

@hhovsepy hhovsepy commented Sep 22, 2021
edited

RFE #3061
Subtask : #4316

On validation message of Sidecar "KIA1004 This host has no matching entry in the service registry", is now added a support of cross-namespace checking of ServiceEntries.

Having this ServiceEntry exported to all namespaces:
Screenshot from 2021-09-23 21-01-43

Before:
In Sidecar, egress hosts using fqdn from other namespace was showing warning message:
Screenshot from 2021-09-23 20-59-40

Now it supports cross-namespace validations:
Screenshot from 2021-09-23 21-00-26

@hhovsepy hhovsepy marked this pull request as ready for review September 23, 2021 19:04
@lucasponce
Copy link
Contributor

@hhovsepy @xeviknal please rebase and review this one and put QE on it, when merged I can also resolve de conflicts with the WIP PR.

Thanks !

@hhovsepy
Copy link
Contributor Author

@xeviknal rebased and ready for review.

xeviknal
xeviknal reviewed Oct 11, 2021
View reviewed changes
Copy link
Member

@xeviknal xeviknal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I have a couple of comments that I'd like to hear from you though.

business/checkers/sidecars/egress_listener_checker_test.go
@@ -25,7 +25,7 @@ func TestEgressHostFormatCorrect(t *testing.T) {
"~/*",
"./*",
"./reviews.bookinfo.svc.cluster.local",
"./*.bookinfo.svc.cluster.com",
"./*.bookinfo.svc.cluster.local",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd keep both of them. The old one was a very specific service entry that might help identify some logics for service entries. Does it make sense?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here the "bookinfo" in this FQDN makes a confusion, and it worked before because of "if strings.HasPrefix(host.Service, "*")" and now fails because of "if host.IsWildcard() && host.Namespace == itemNamespace".

business/checkers/sidecars/egress_listener_checker_test.go
Services: []core_v1.Service{},
ServiceEntries: kubernetes.ServiceEntryHostnames([]kubernetes.IstioObject{data.CreateEmptyMeshExternalServiceEntry("details-se", "bookinfo3", []string{"www.myhost.com"})}),
Sidecar: sidecarWithHosts([]interface{}{
"bookinfo/www.myhost.com",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps it wasn't covered before, but should we try to test for a bookinfo/*.myhost.com?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Returning back to this request after several researches. In the validation logic of Sidecar's hosts, the "" is ignored and not checked it's further existance, so even if host is "bookinfo/.mywronghost.com" the error message will not be shown.
The purpose of this PR is to support only cross-namespace validations without touching the existing logic.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

business/checkers/sidecars/egress_listener_checker.go
return true
}

if kubernetes.HasMatchingServices(host.Service, elc.Services) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking of cross-namespace validations. I think we should change this method to cover the cross-namespace at some point. It sounds better to have a match between a Host and a Service instead of a service name and a service.
However, It might be approached in another issue since the services past in this checker are only from one namespace.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, we have a separate task for it: #4317

@lucasponce lucasponce mentioned this pull request Oct 13, 2021
Merged
7 tasks
@hhovsepy
Copy link
Contributor Author

@xeviknal can you re-review it please?

xeviknal
xeviknal previously approved these changes Oct 15, 2021
View reviewed changes
Copy link
Member

@xeviknal xeviknal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! There is one minor that will be approached when using the service registry information.

@hhovsepy hhovsepy force-pushed the issue3061_7 branch 2 times, most recently from 750de5f to b179c84 Compare October 15, 2021 18:12
@hhovsepy
Added cross-namespace validation support for Sidecar's egress listene…
be0bf94 
…r host, considering exported ServiceEntries.
@hhovsepy
Copy link
Contributor Author

For QE:

  1. Create a ServiceEntry in bookinfo2 namespace, export it to all namespaces. Set host: 'exporttodetails.bookinfo2.svc.cluster.local'
  2. Create Sidecar in bookinfo namespace. Set one of egress hosts the ServiceEntry's host "bookinfo2/exporttodetails.bookinfo2.svc.cluster.local".
  3. Verify that no warning is shown on Sidecar hosts.
  4. Created ServiceEntry export to '.'.
  5. Verify that created Sidecar now cannot import that ServiceEntry and warning is shown on ServiceEntry hosts.
    Screenshot from 2021-10-18 11-19-33

xeviknal
xeviknal approved these changes Oct 18, 2021
View reviewed changes
Copy link
Member

@xeviknal xeviknal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

skondkar
skondkar approved these changes Oct 21, 2021
View reviewed changes
Copy link

@skondkar skondkar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified that no warning is shown on sidecar host when serviceEntry has exportTo all namespaces

Screenshot-ServiceEntry-bookinfo2

Screenshot-NoWarninginSidecarHost

After setting exportTo to '.' , the host entry shows warning message.

Screenshot-warningonSidecarHost

@hhovsepy hhovsepy merged commit 52c9ca7 into kiali:master Oct 21, 2021
@ghost ghost added this to the v1.42.0 milestone Oct 21, 2021
@skondkar
Copy link

Polarion Testcase ->> SWSQE-2020

@pbajjuri20 pbajjuri20 mentioned this pull request Nov 11, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xeviknal xeviknal xeviknal approved these changes

@skondkar skondkar skondkar approved these changes

Assignees

@hhovsepy hhovsepy

@skondkar skondkar

Labels
None yet
Projects
None yet
Milestone
v1.42.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hhovsepy @lucasponce @skondkar @xeviknal