Cherry-pick multi-root support #387

dgn · 2021-06-30T09:12:18Z

Keeping this as WIP until #379 is merged

luksa · 2021-06-30T11:05:22Z

#379 has been merged.

luksa · 2021-06-30T11:37:03Z

I've created a new PR with all the remaining commits that were added to maistra-2.1 after my rebase (#388). It's best if you take that as the base for your PR.

dgn · 2021-07-01T12:36:21Z

/retest

Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357)

MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ```

MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (#422) MAISTRA-2297 Support updates of federation resources (#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (#440) Log actual error returned by pollServices() (#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ```

MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ```

* [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (#422) MAISTRA-2297 Support updates of federation resources (#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (#440) Log actual error returned by pollServices() (#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (#521) * OSSM-1529 Improve federation example script (#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com>

* [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (maistra#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (maistra#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (maistra#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (maistra#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (maistra#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (maistra#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (maistra#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (maistra#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (maistra#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (maistra#521) * OSSM-1529 Improve federation example script (maistra#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (maistra#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com>

* [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (#422) MAISTRA-2297 Support updates of federation resources (#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (#440) Log actual error returned by pollServices() (#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (#521) * OSSM-1529 Improve federation example script (#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com>

* [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (maistra#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (maistra#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (maistra#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (maistra#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (maistra#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (maistra#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (maistra#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (maistra#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (maistra#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (maistra#521) * OSSM-1529 Improve federation example script (maistra#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (maistra#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com>

* [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (#422) MAISTRA-2297 Support updates of federation resources (#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (#440) Log actual error returned by pollServices() (#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (#521) * OSSM-1529 Improve federation example script (#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com>

* [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (maistra#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (maistra#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (maistra#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (maistra#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (maistra#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (maistra#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (maistra#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (maistra#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (maistra#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (maistra#521) * OSSM-1529 Improve federation example script (maistra#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (maistra#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com>

* [federation] Introduces federation deployment (#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (#422) MAISTRA-2297 Support updates of federation resources (#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (#440) Log actual error returned by pollServices() (#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (#521) * OSSM-1529 Improve federation example script (#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com>

maistra#699) * [federation] Introduces federation deployment (maistra#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (maistra#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (maistra#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (maistra#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (maistra#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (maistra#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (maistra#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (maistra#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (maistra#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (maistra#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (maistra#521) * OSSM-1529 Improve federation example script (maistra#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (maistra#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (maistra#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (maistra#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (maistra#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (maistra#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com>

maistra#699) * [federation] Introduces federation deployment (maistra#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (maistra#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (maistra#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (maistra#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (maistra#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (maistra#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (maistra#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (maistra#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (maistra#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (maistra#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (maistra#521) * OSSM-1529 Improve federation example script (maistra#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (maistra#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (maistra#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (maistra#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (maistra#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (maistra#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> OSSM-2376: Move kube controller to the federation package (maistra#718) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> OSSM-2376: Don't start federation controllers until informers have synced (maistra#717) (maistra#720) * OSSM-2376: Don't start federation-discovery-controller until kube informer has synced Federation discovery controller fetches config map with remote CA root cert, so if the controller started before the informer has synced, it would fail to fetch the config map. Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Store ConfigMap informer in a field of the discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Refactor ResourceManager and don't start federation controller until informers has synced Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Simplify Start and HasSynced functions in federation controllers Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Move kube controller to the federation package Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Federation example fixes (maistra#758) * Use default version in federation example SMCPs * Fix paths in federation example OSSM-3599 Federation egress-gateway gets wrong network gateway endpoints (maistra#775) * OSSM-3599 Federation egress-gateway gets wrong update of network gateway endpoints * Deprecate GatewayEndpoints on server side * Remove resyncNetworkGateways in unit tests * Fix lint * Deprecate NetworkGatewayEndpoints and fix tests Refactor federation tests (maistra#841) * Refactor federation tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add more test cases Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

* [federation] Introduces federation deployment (#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (#422) MAISTRA-2297 Support updates of federation resources (#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (#440) Log actual error returned by pollServices() (#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (#521) * OSSM-1529 Improve federation example script (#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> OSSM-2376: Move kube controller to the federation package (#718) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> OSSM-2376: Don't start federation controllers until informers have synced (#717) (#720) * OSSM-2376: Don't start federation-discovery-controller until kube informer has synced Federation discovery controller fetches config map with remote CA root cert, so if the controller started before the informer has synced, it would fail to fetch the config map. Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Store ConfigMap informer in a field of the discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Refactor ResourceManager and don't start federation controller until informers has synced Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Simplify Start and HasSynced functions in federation controllers Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Move kube controller to the federation package Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Federation example fixes (#758) * Use default version in federation example SMCPs * Fix paths in federation example OSSM-3599 Federation egress-gateway gets wrong network gateway endpoints (#775) * OSSM-3599 Federation egress-gateway gets wrong update of network gateway endpoints * Deprecate GatewayEndpoints on server side * Remove resyncNetworkGateways in unit tests * Fix lint * Deprecate NetworkGatewayEndpoints and fix tests Refactor federation tests (#841) * Refactor federation tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add more test cases Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>

maistra#699) * [federation] Introduces federation deployment (maistra#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (maistra#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (maistra#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (maistra#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (maistra#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (maistra#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (maistra#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (maistra#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (maistra#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (maistra#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (maistra#521) * OSSM-1529 Improve federation example script (maistra#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (maistra#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (maistra#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (maistra#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (maistra#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (maistra#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> OSSM-2376: Move kube controller to the federation package (maistra#718) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> OSSM-2376: Don't start federation controllers until informers have synced (maistra#717) (maistra#720) * OSSM-2376: Don't start federation-discovery-controller until kube informer has synced Federation discovery controller fetches config map with remote CA root cert, so if the controller started before the informer has synced, it would fail to fetch the config map. Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Store ConfigMap informer in a field of the discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Refactor ResourceManager and don't start federation controller until informers has synced Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Simplify Start and HasSynced functions in federation controllers Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Move kube controller to the federation package Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Federation example fixes (maistra#758) * Use default version in federation example SMCPs * Fix paths in federation example OSSM-3599 Federation egress-gateway gets wrong network gateway endpoints (maistra#775) * OSSM-3599 Federation egress-gateway gets wrong update of network gateway endpoints * Deprecate GatewayEndpoints on server side * Remove resyncNetworkGateways in unit tests * Fix lint * Deprecate NetworkGatewayEndpoints and fix tests Refactor federation tests (maistra#841) * Refactor federation tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add more test cases Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yann Liu <yannliu@redhat.com>

maistra#699) (maistra#844) * [federation] Introduces federation deployment (maistra#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (maistra#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (maistra#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (maistra#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (maistra#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (maistra#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (maistra#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (maistra#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (maistra#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (maistra#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (maistra#521) * OSSM-1529 Improve federation example script (maistra#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (maistra#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (maistra#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (maistra#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (maistra#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (maistra#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> OSSM-2376: Move kube controller to the federation package (maistra#718) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> OSSM-2376: Don't start federation controllers until informers have synced (maistra#717) (maistra#720) * OSSM-2376: Don't start federation-discovery-controller until kube informer has synced Federation discovery controller fetches config map with remote CA root cert, so if the controller started before the informer has synced, it would fail to fetch the config map. Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Store ConfigMap informer in a field of the discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Refactor ResourceManager and don't start federation controller until informers has synced Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Simplify Start and HasSynced functions in federation controllers Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Move kube controller to the federation package Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Federation example fixes (maistra#758) * Use default version in federation example SMCPs * Fix paths in federation example OSSM-3599 Federation egress-gateway gets wrong network gateway endpoints (maistra#775) * OSSM-3599 Federation egress-gateway gets wrong update of network gateway endpoints * Deprecate GatewayEndpoints on server side * Remove resyncNetworkGateways in unit tests * Fix lint * Deprecate NetworkGatewayEndpoints and fix tests Refactor federation tests (maistra#841) * Refactor federation tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add more test cases Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> --------- Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <yuanlin.xu@redhat.com> Co-authored-by: Brian Mangoenpawiro <bmangoen@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> Signed-off-by: Yann Liu <yannliu@redhat.com>

… (maistra#844) * [federation] Introduces federation deployment (maistra#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (maistra#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (maistra#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (maistra#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (maistra#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (maistra#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (maistra#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (maistra#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (maistra#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (maistra#422) MAISTRA-2297 Support updates of federation resources (maistra#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (maistra#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (maistra#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (maistra#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (maistra#440) Log actual error returned by pollServices() (maistra#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (maistra#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (maistra#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (maistra#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (maistra#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (maistra#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (maistra#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (maistra#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (maistra#521) * OSSM-1529 Improve federation example script (maistra#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (maistra#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (maistra#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (maistra#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (maistra#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (maistra#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> OSSM-2376: Move kube controller to the federation package (maistra#718) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> OSSM-2376: Don't start federation controllers until informers have synced (maistra#717) (maistra#720) * OSSM-2376: Don't start federation-discovery-controller until kube informer has synced Federation discovery controller fetches config map with remote CA root cert, so if the controller started before the informer has synced, it would fail to fetch the config map. Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Store ConfigMap informer in a field of the discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Refactor ResourceManager and don't start federation controller until informers has synced Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Simplify Start and HasSynced functions in federation controllers Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Move kube controller to the federation package Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Federation example fixes (maistra#758) * Use default version in federation example SMCPs * Fix paths in federation example OSSM-3599 Federation egress-gateway gets wrong network gateway endpoints (maistra#775) * OSSM-3599 Federation egress-gateway gets wrong update of network gateway endpoints * Deprecate GatewayEndpoints on server side * Remove resyncNetworkGateways in unit tests * Fix lint * Deprecate NetworkGatewayEndpoints and fix tests Refactor federation tests (maistra#841) * Refactor federation tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add more test cases Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Reimplement InstancesByPort method `InstancesByPort` is used by the federation server, which was removed in the upstream istio/istio#46329. We reimplement it to support the federation server. --------- Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <yuanlin.xu@redhat.com> Co-authored-by: Brian Mangoenpawiro <bmangoen@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> Signed-off-by: Yann Liu <yannliu@redhat.com>

* [federation] Introduces federation deployment (#585) * [federation] Initial federation implementation * MAISTRA-2194 Add server/client code for Federation Service Discovery v1 * MAISTRA-2195 Implement /watch endpoint * MAISTRA-2293 add CRD and controller for federating meshes * MAISTRA-2294 create CRD for federation ServiceExport (#324) * MAISTRA-2294 update example VirtualService resources for ratings and mongodb (#333) * [federation] MAISTRA-2295 create CRD for federation ServiceImport (#336) Signed-off-by: rcernich <rcernich@redhat.com> * [misc] Use objects and clients from maistra/api repo - Remove local objects and clients - Update Makefile * [federation] MAISTRA-2309 create CRD for FederationStatus (#348) Signed-off-by: rcernich <rcernich@redhat.com> * [federation] Federation fixes and improvements MAISTRA-2423 update federation api to v1 Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2424 minor updates to federation api Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2427 configure locality info on imported services Signed-off-by: rcernich <rcernich@redhat.com> Cherry-pick multi-root support (#387) * Update go-control-plane to v0.9.9 * Support multiple roots Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (#357) MAISTRA-2425 move spec.security.certificateChain to ConfigMap reference; add ability to specify ports for service and discovery (#392) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2426 move FederationStatus into MeshFederation (#393) Signed-off-by: rcernich <rcernich@redhat.com> MAISTRA-2513 federation API refinements Signed-off-by: rcernich <rcernich@redhat.com> [federation] MAISTRA-2237 Encrypt service discovery traffic (#411) MAISTRA-2610 Prefix federation discovery endpoints with /v1/ (#422) MAISTRA-2297 Support updates of federation resources (#417) MAISTRA-2375: Do not create automatic routes for Federation Gateways Remove a redundant call `setHostname()` is already being called within `NameForService()` see https://github.com/maistra/istio/blob/21ee900cf8825711f70d88dc97afcf6862ed2626/pkg/servicemesh/federation/common/namemapping.go lines 83, 120, 129 Remove techPreview.meshConfig from PoC example It's set by default now. MAISTRA-2611 Fix deletion of service exports to federated mesh (#421) Fix test MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil (#437) * MAISTRA-2658 Ensure ImportedServiceSet.status.importedServices is never nil * Fix test MAISTRA-2682 Fix watch mechanism in federation (#439) Previously, no events were read from the watch response, because the read started with an endless loop that waited for data to be available in the decoder's buffer. This never happened, because the buffer is only written to when you call decoder.Decode(); this function was never called because the code waited for the buffer to have data. MAISTRA-2683 Properly close incoming watch connections when shutting down (#440) Log actual error returned by pollServices() (#441) Previously, instead of the actual error, only the following error message was logged: "expected condition not met". MAISTRA-2439: Prevent federation from exporting services that are not visible to the federation gateway (#432) By taking into consideration the service annotation `networking.istio.io/exportTo`. This annotation restricts where this service is visible: https://istio.io/latest/docs/reference/config/annotations/ If a service is not reachable from the federation gateway namespace due to this annotation, it should not be exported. MAISTRA-2617: Do not watch all namespaces in Extensions controller (#425) When using MemberRoll, we should rely on it to provide the list of namespaces to watch. If not using it, defaults to command line arguments. This fixes an istiod startup error as seen in the logs: ``` github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:i1:istiod-service-account-basic" cannot list resource "servicemeshextensions" in API group "maistra.io" at the cluster scope ``` * Remove package export and extensions Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix creating discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix calling nil ResourceManager Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove panicing from AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [misc] OSSM-774 Fix flaky TestStatusManager (#456) This adds a little sleep to our unit tests for the StatusManager, because without it, we're running into the issue that we're updating a ServiceMeshPeer's status very quickly, and in some cases it might be that the last change has not been propagated when we're generating the patch for the next status change, which can lead to failures. This can happen in the real world, but you would need to change a ServiceMeshPeer's status within a few milliseconds, I doubt that it affects users. It would also be fixed with the next status update. For those reasons, I'm only fixing it in the test, with a Sleep() call. * Refactor manager_test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1150 Fix flaky TestStatusManager unit test (#478) Co-authored-by: Marko Lukša <marko.luksa@gmail.com> * OSSM-1252 Fix federation status updates (#512) * Copy federation privileges from base to istio-discovery * Remove unnecessary ServiceMeshExtensions CRD Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add model.NetworkGatewaysHandler to federation controller to implement AppendNetworkGatewayHandler Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] MAISTRA-2640 Add federation integration test (#447) * Fix building federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add package gogo from maistra-2.2 to temporarily fix TbdsGenerator Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable configuring remote cluster in federation deployment Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * [federation] OSSM-1128 Fix federation (#480) * Fix SecretCacheClient Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Send initial XDS request for trust bundle from proxy Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Disable using EndpointSlices to fix error on getting federation-egress endpoints Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Remove unused serviceMeshExtensionController Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Fix lint errors Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Update maistra CRDs Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fedration_cp_version_update (#521) * OSSM-1529 Improve federation example script (#522) * OSSM-1529 Improve federation example install.sh Previously, the script would fall back to using nodeports when the load balancer IP wasn't set. This meant that if the provision of the load balancer took too long, the SMCPs would be misconfigured and you had to run the install script again. With this change, the script now waits for the load balancer IP to appear. It never falls back to using node ports, because they never really worked (the nodes' hostnames typically aren't FQDN and the node ports are typically protected by firewalls). If the user wants to expose the federation ingresses in a different way, they can now set the environment variables MESH1_ADDRESS, MESH1_DISCOVERY_PORT, and MESH2_SERVICE_PORT (likewise for MESH2) and run the script. * Update Federation example README * Better "Waiting for load balancer" message * OSSM-1211 Fix federation locality failover issues (#561) Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> * fix: removes deprecated gogo protobuf conversion * fix: goimport format * fix(lint): removes unused funcs * fix(lint): removes deprecated io/ioutil * fix(lint): disables staticcheck for federation tests it requires at least two clusters to make sense * fix(lint): use anypb.UnmarshalTo instead of ptypes * fix: no need to exclude grpcgen_test.go it seems to be fixed in v1.39 see: grpc/grpc-go#4476 * chore(backoff): aligns backoff dependency with v4 used by upstream * chore: reverts removed blank line - irrelevant for merge * chore(revive): adds explanation why json:inline is skipped from linting * OSSM-1962: Use EndpointSlices instead of Endpoints in federation controller (#614) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2049: Fix handling ServiceAccounts in federation controller (#627) * Fix collecting empty or repeated ServiceAccounts in federation controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Collect ServiceAccounts in sorted order Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-1093 Shorten exported resource name (#653) * Shorten exported resource name * Fix import createResourceName + unit tests * Rearrange unit tests + renaming function * Gen and lint * Rearrange unit tests + renaming function Gen and lint * Fix minor changes * Error message RFC 1123 * Reorganize structs in TestStatusManager Instead of having three arrays (events, expectedStatuses, and assertions), we now only have a single array, where each entry is a triplet containing the event, the expected status and the assertion. This allows you to see the event and its expected effects together and not have to scroll up and down, matching the indexes of the three arrays. * OSSM-2193 Fix flaky TestStatusManager See comment in https://issues.redhat.com/browse/OSSM-2193 to understand why this change fixes the test. * fix: runs make gen * chore: explains why staticcheck linter is disabled for federation_test * OSSM-728 Configuration scripts for Federation on Z and P, and bare metal (#670) * add config example scripts for IBM Systems Z and P * update multi-arch bookinfo deployment README, remove src * Update README.md * these are provided in the IBM repo * so README.md passes mdlinter * so README.md passes mdlinter * so README.md passes mdlinter * Update README.md * Move federation examples to samples/ directory * Rename template YAMLs to .yaml.template This makes the linter happy Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> * chore: removes obsolute TODO * chore: simplifies bool return expression * chore: removes redundant kubeClient check if initialization fails this func will not be reached anyway * chore(pkg): moves kube ctrl under servicemesh pkg folder * OSSM-2338: Remove env ISTIO_META_ROUTER_MODE from federation test Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * OSSM-2338: Remove "routerMode: sni-dnat" from federation samples Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * fix: adds operator.go customizations to kube.go clearly with cherry-pick we lost information about the file rename and thus the changes we made specificually for testing federation got lost * fix(test/operator): checks if east-west gw needs to be deployed * fix(federation): uses Unwrap to get instance of Federation registry * fix(tests): sets istiod-less remote flag to false that was the behaviour for maistra-2.3 and we need istiod to be present in order to have federation working * chore: gets registry just before it is needed * chore: explains why istiodlessremotes is needed to be set to false * chore: removes redundant import aliases * chore: removes name collisions * chore: removes redundant type conversion * fix: disables staticcheck linter for cluster req tests. * fix(tests): reverts timeout to original (but in minutes) * fix(tests): removes extra logging * chore: removes unnecessary logging * fix: uses existing CRD file references in charts * chore: removes multicluster label * chore: uses built-in namespace.NewOrFail instead of our impl * chore: introduces defaultTimeout const for federation tests * fix(lint): fixes go imports * fix(lint): removes unused variable * fix: naively wait 5s hoping that kind network will show up Signed-off-by: rcernich <rcernich@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Yuanlin <yuanlin.xu@redhat.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: maistra-bot <57098434+maistra-bot@users.noreply.github.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <xuyuanlin_00@hotmail.com> Co-authored-by: bmangoen <bmangoen@redhat.com> Co-authored-by: cfillekes <cfilleke@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> OSSM-2376: Move kube controller to the federation package (#718) Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> OSSM-2376: Don't start federation controllers until informers have synced (#717) (#720) * OSSM-2376: Don't start federation-discovery-controller until kube informer has synced Federation discovery controller fetches config map with remote CA root cert, so if the controller started before the informer has synced, it would fail to fetch the config map. Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Store ConfigMap informer in a field of the discovery.Controller Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Refactor ResourceManager and don't start federation controller until informers has synced Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Simplify Start and HasSynced functions in federation controllers Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Move kube controller to the federation package Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Federation example fixes (#758) * Use default version in federation example SMCPs * Fix paths in federation example OSSM-3599 Federation egress-gateway gets wrong network gateway endpoints (#775) * OSSM-3599 Federation egress-gateway gets wrong update of network gateway endpoints * Deprecate GatewayEndpoints on server side * Remove resyncNetworkGateways in unit tests * Fix lint * Deprecate NetworkGatewayEndpoints and fix tests Refactor federation tests (#841) * Refactor federation tests Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> * Add more test cases Signed-off-by: Jacek Ewertowski <jewertow@redhat.com> Reimplement InstancesByPort method `InstancesByPort` is used by the federation server, which was removed in the upstream istio/istio#46329. We reimplement it to support the federation server. --------- Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Jacek Ewertowski <jewertow@redhat.com> Co-authored-by: Daniel Grimm <dgrimm@redhat.com> Co-authored-by: Rob Cernich <rcernich@redhat.com> Co-authored-by: Jonh Wendell <jonh.wendell@redhat.com> Co-authored-by: Marko Lukša <marko.luksa@gmail.com> Co-authored-by: Praneeth Bajjuri <pbajjuri@redhat.com> Co-authored-by: Yuanlin Xu <yuanlin.xu@redhat.com> Co-authored-by: Brian Mangoenpawiro <bmangoen@redhat.com> Co-authored-by: Cheryl Fillekes <cfillekes@ibm.com> Signed-off-by: Yann Liu <yannliu@redhat.com>

maistra-bot added do-not-merge/work-in-progress size/XXL labels Jun 30, 2021

dgn force-pushed the multi-root-support branch from 20b7f5f to ebf7d50 Compare June 30, 2021 10:13

dgn force-pushed the multi-root-support branch 2 times, most recently from 2e5b59f to f5a06ae Compare July 1, 2021 08:52

dgn added 2 commits July 1, 2021 17:28

Update go-control-plane to v0.9.9

11cb91c

Support multiple roots

6c5c41c

Squashed commit, contains: - MAISTRA-2325 Distribute trust bundles over SDS - MAISTRA-2390 Push trust bundle updates through xDS (maistra#357)

dgn force-pushed the multi-root-support branch from f5a06ae to 6c5c41c Compare July 1, 2021 15:29

dgn changed the title ~~[WIP] Cherry-pick multi-root support~~ Cherry-pick multi-root support Jul 1, 2021

maistra-bot removed the do-not-merge/work-in-progress label Jul 1, 2021

rcernich approved these changes Jul 1, 2021

View reviewed changes

dgn added the okay to merge label Jul 1, 2021

maistra-bot merged commit b67d6cf into maistra:maistra-2.1-istio-1.9 Jul 1, 2021

bartoszmajsak mentioned this pull request Dec 1, 2022

OSSM-2369: [federation] Introduces federation deployment (#585) #699

Merged

dgn deleted the multi-root-support branch January 23, 2023 22:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cherry-pick multi-root support #387

Cherry-pick multi-root support #387

dgn commented Jun 30, 2021

luksa commented Jun 30, 2021

luksa commented Jun 30, 2021

dgn commented Jul 1, 2021

Cherry-pick multi-root support #387

Cherry-pick multi-root support #387

Conversation

dgn commented Jun 30, 2021

luksa commented Jun 30, 2021

luksa commented Jun 30, 2021

dgn commented Jul 1, 2021