New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added cross-namespace validation support for Sidecar's egress listener host, considering exported ServiceEntries. #4387
Conversation
3944805
to
4afd66d
Compare
@xeviknal rebased and ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I have a couple of comments that I'd like to hear from you though.
@@ -25,7 +25,7 @@ func TestEgressHostFormatCorrect(t *testing.T) { | |||
"~/*", | |||
"./*", | |||
"./reviews.bookinfo.svc.cluster.local", | |||
"./*.bookinfo.svc.cluster.com", | |||
"./*.bookinfo.svc.cluster.local", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd keep both of them. The old one was a very specific service entry that might help identify some logics for service entries. Does it make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here the "bookinfo" in this FQDN makes a confusion, and it worked before because of "if strings.HasPrefix(host.Service, "*")" and now fails because of "if host.IsWildcard() && host.Namespace == itemNamespace".
Services: []core_v1.Service{}, | ||
ServiceEntries: kubernetes.ServiceEntryHostnames([]kubernetes.IstioObject{data.CreateEmptyMeshExternalServiceEntry("details-se", "bookinfo3", []string{"www.myhost.com"})}), | ||
Sidecar: sidecarWithHosts([]interface{}{ | ||
"bookinfo/www.myhost.com", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps it wasn't covered before, but should we try to test for a bookinfo/*.myhost.com
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Returning back to this request after several researches. In the validation logic of Sidecar's hosts, the "" is ignored and not checked it's further existance, so even if host is "bookinfo/.mywronghost.com" the error message will not be shown.
The purpose of this PR is to support only cross-namespace validations without touching the existing logic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added
return true | ||
} | ||
|
||
if kubernetes.HasMatchingServices(host.Service, elc.Services) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking of cross-namespace validations. I think we should change this method to cover the cross-namespace at some point. It sounds better to have a match between a Host
and a Service
instead of a service name
and a service
.
However, It might be approached in another issue since the services past in this checker are only from one namespace.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, we have a separate task for it: #4317
@xeviknal can you re-review it please? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! There is one minor that will be approached when using the service registry information.
750de5f
to
b179c84
Compare
…r host, considering exported ServiceEntries.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Polarion Testcase ->> SWSQE-2020 |
RFE #3061
Subtask : #4316
On validation message of Sidecar "KIA1004 This host has no matching entry in the service registry", is now added a support of cross-namespace checking of ServiceEntries.
Having this ServiceEntry exported to all namespaces:
Before:
In Sidecar, egress hosts using fqdn from other namespace was showing warning message:
Now it supports cross-namespace validations: