-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
networking: match multiple VIPs in sidecar outbound listener #51967
networking: match multiple VIPs in sidecar outbound listener #51967
Conversation
Skipping CI for Draft Pull Request. |
/test all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a breaking change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dual stack usage percentage is less compared with pure ipv4
@hzxuzhonghu I am not sure if I understand what you mean, but this change does not enable dual-stack by default. |
f7a5e0b
to
0b41890
Compare
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Actually, that was my initial approach, but I ended up in settings Anyway, if you also think that we should use only single function to get addresses, I could do it in a near future, and now I would like to focus on making it work for HTTP as well. At the end I will submit a PR that will unify usage of these functions. What do you think? |
I'm pretty sure that the original reasoning regarding that separation was made by Steve in order to keep single-stack and DS code as separated as possible. Now that the getAllAddresses became relevant for other usecases it would make sense to revisit that decision. |
LGTM, seems like the current concerns are just refactorings around DS handling in the future? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a general 1; I think this is a needed change that reduces the complexity of our dualstack support. I also agree with a lot of the other cleanup comments, but this is a good first step
pilot/pkg/model/service.go
Outdated
} | ||
if node.SupportsIPv6() && len(ipv6Addresses) > 0 { | ||
return ipv6Addresses | ||
} | ||
} | ||
if a := s.GetAddressForProxy(node); a != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I'd recommend renaming this function at some point (fast followup?); it's getting difficult to know what each one does
Signed-off-by: Jacek Ewertowski <[email protected]>
addresses := s.ClusterVIPs.GetAddressesFor(node.Metadata.ClusterID) | ||
if (features.EnableDualStack || features.EnableAmbient) && len(addresses) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
donot we need to check whether pod support dual stack?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like a multi cluster mesh, one cluster support only ipv4, the other support dual stack
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this function returns addresses relevant for the cluster of the requesting proxy.
Btw. this is irrelevant in this PR, as I didn't change anything related to dual-stack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, none of your bussiness. Just see this and indeed it is a bug
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, we shouldn't be making decisions based on EnableDualStack
and should treat it as a deprecated field - it's almost never the correct signal to check, yes.
@hzxuzhonghu as you requested changes, could you clarify what do you expect to be changed? You didn't point any issue, just raised your concerns, so this is confusing. And now it only waits for your approval. |
addresses := s.ClusterVIPs.GetAddressesFor(node.Metadata.ClusterID) | ||
if (features.EnableDualStack || features.EnableAmbient) && len(addresses) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, none of your bussiness. Just see this and indeed it is a bug
In response to a cherrypick label: new pull request created: #52148 |
In response to a cherrypick label: #51967 failed to apply on top of branch "release-1.22":
|
In response to a cherrypick label: new issue created for failed cherrypick: #52184 |
In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/istio#release-1.23 from head istio-testing:cherry-pick-51967-to-release-1.23: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-51967-to-release-1.23."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"} |
…1967) * networking: match multiple addresses in sidecar outbound listener Signed-off-by: Jacek Ewertowski <[email protected]> * Add unit tests for GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add a release note Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter error Signed-off-by: Jacek Ewertowski <[email protected]> * Revert removal svcExtraListenAddresses variable Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Refactoring Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSOverlapping Signed-off-by: Jacek Ewertowski <[email protected]> * Skip testServiceEntryWithMultipleVIPs in ambient mode Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSUnhealthyEndpoints Signed-off-by: Jacek Ewertowski <[email protected]> * Add test case for ServiceEntry with resolution NONE and multiple VIPs Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter errors Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Generate service with all ports Signed-off-by: Jacek Ewertowski <[email protected]> * do not create service instance for each hostname/address pair Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetExtraAddressesForProxy and revert removal of its usage from buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Fix listenerBindings.Extra() Signed-off-by: Jacek Ewertowski <[email protected]> * Handle IPv6 prefix length Signed-off-by: Jacek Ewertowski <[email protected]> * Check address' family only if a proxy supports given family Signed-off-by: Jacek Ewertowski <[email protected]> * Update a comment Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor getAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
…stener (#52249) * networking: match multiple VIPs in sidecar outbound listener (#51967) * networking: match multiple addresses in sidecar outbound listener Signed-off-by: Jacek Ewertowski <[email protected]> * Add unit tests for GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add a release note Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter error Signed-off-by: Jacek Ewertowski <[email protected]> * Revert removal svcExtraListenAddresses variable Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Refactoring Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSOverlapping Signed-off-by: Jacek Ewertowski <[email protected]> * Skip testServiceEntryWithMultipleVIPs in ambient mode Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSUnhealthyEndpoints Signed-off-by: Jacek Ewertowski <[email protected]> * Add test case for ServiceEntry with resolution NONE and multiple VIPs Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter errors Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Generate service with all ports Signed-off-by: Jacek Ewertowski <[email protected]> * do not create service instance for each hostname/address pair Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetExtraAddressesForProxy and revert removal of its usage from buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Fix listenerBindings.Extra() Signed-off-by: Jacek Ewertowski <[email protected]> * Handle IPv6 prefix length Signed-off-by: Jacek Ewertowski <[email protected]> * Check address' family only if a proxy supports given family Signed-off-by: Jacek Ewertowski <[email protected]> * Update a comment Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor getAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]> * Revert unintentional change of a comment Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
…1967) * networking: match multiple addresses in sidecar outbound listener Signed-off-by: Jacek Ewertowski <[email protected]> * Add unit tests for GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add a release note Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter error Signed-off-by: Jacek Ewertowski <[email protected]> * Revert removal svcExtraListenAddresses variable Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Refactoring Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSOverlapping Signed-off-by: Jacek Ewertowski <[email protected]> * Skip testServiceEntryWithMultipleVIPs in ambient mode Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSUnhealthyEndpoints Signed-off-by: Jacek Ewertowski <[email protected]> * Add test case for ServiceEntry with resolution NONE and multiple VIPs Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter errors Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Generate service with all ports Signed-off-by: Jacek Ewertowski <[email protected]> * do not create service instance for each hostname/address pair Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetExtraAddressesForProxy and revert removal of its usage from buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Fix listenerBindings.Extra() Signed-off-by: Jacek Ewertowski <[email protected]> * Handle IPv6 prefix length Signed-off-by: Jacek Ewertowski <[email protected]> * Check address' family only if a proxy supports given family Signed-off-by: Jacek Ewertowski <[email protected]> * Update a comment Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor getAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
…stener (#52283) * networking: match multiple VIPs in sidecar outbound listener (#51967) * networking: match multiple addresses in sidecar outbound listener Signed-off-by: Jacek Ewertowski <[email protected]> * Add unit tests for GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add a release note Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter error Signed-off-by: Jacek Ewertowski <[email protected]> * Revert removal svcExtraListenAddresses variable Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Refactoring Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSOverlapping Signed-off-by: Jacek Ewertowski <[email protected]> * Skip testServiceEntryWithMultipleVIPs in ambient mode Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSUnhealthyEndpoints Signed-off-by: Jacek Ewertowski <[email protected]> * Add test case for ServiceEntry with resolution NONE and multiple VIPs Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter errors Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Generate service with all ports Signed-off-by: Jacek Ewertowski <[email protected]> * do not create service instance for each hostname/address pair Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetExtraAddressesForProxy and revert removal of its usage from buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Fix listenerBindings.Extra() Signed-off-by: Jacek Ewertowski <[email protected]> * Handle IPv6 prefix length Signed-off-by: Jacek Ewertowski <[email protected]> * Check address' family only if a proxy supports given family Signed-off-by: Jacek Ewertowski <[email protected]> * Update a comment Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor getAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]> * Apply missing changes from #51939 Signed-off-by: Jacek Ewertowski <[email protected]> * networking: fix DNS auto-allocation (#52147) * Fix returning auto-allocated address Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add missing build tag and license to dns_auto_allocation_test.go Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Add workload selector to ProxyConfig Signed-off-by: Jacek Ewertowski <[email protected]> * Trigger injection if ProxyConfig was not propagated Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]> * Remove leftovers from conflict resolution Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
Please provide a description of this PR:
Fixes #51747
What did I change:
GetAllAddressesForProxy
andGetExtraAddressesForProxy
always return all addresses for the proxy's IP family. Previously these functions were returning all addresses only whenISTIO_DUAL_STACK
was enabled.buildSidecarOutboundListener
used these functions to configure CIDR matching. These functions always returned the default address, so outbound listeners couldn't match all the addresses. Now, all CIDRs are configured for the supported IP family.convertServices
created internal service instance for each [host, address] pair. Now, it creates an instance for each [host, address list] pair.Example:
When the following SE is applied:
and I check listeners for port 9092:
I get the following results: