networking: match multiple VIPs in sidecar outbound listener #51967
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Skipping CI for Draft Pull Request. |
istio-testing
added
the
do-not-merge/work-in-progress
istio-testing
added
the
size/M
|
/test all |
istio-testing
added
size/L
jewertow
changed the title
istio-testing
removed
the
do-not-merge/work-in-progress
hzxuzhonghu
requested changes
Jul 15, 2024
hzxuzhonghu
reviewed
Jul 15, 2024
@hzxuzhonghu I am not sure if I understand what you mean, but this change does not enable dual-stack by default. |
jewertow
force-pushed
the
match-multiple-ips-in-sidecar-listener
branch
2 times, most recently
from
f7a5e0b
to
0b41890
Compare
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Signed-off-by: Jacek Ewertowski <[email protected]>
Actually, that was my initial approach, but I ended up in settings Anyway, if you also think that we should use only single function to get addresses, I could do it in a near future, and now I would like to focus on making it work for HTTP as well. At the end I will submit a PR that will unify usage of these functions. What do you think? |
I'm pretty sure that the original reasoning regarding that separation was made by Steve in order to keep single-stack and DS code as separated as possible. Now that the getAllAddresses became relevant for other usecases it would make sense to revisit that decision. |
|
LGTM, seems like the current concerns are just refactorings around DS handling in the future? |
keithmattix
reviewed
Jul 16, 2024
pilot/pkg/model/service.go
Outdated
| } | ||
| if node.SupportsIPv6() && len(ipv6Addresses) > 0 { | ||
| return ipv6Addresses | ||
| } | ||
| } | ||
| if a := s.GetAddressForProxy(node); a != "" { |
There was a problem hiding this comment.
Yeah I'd recommend renaming this function at some point (fast followup?); it's getting difficult to know what each one does
Signed-off-by: Jacek Ewertowski <[email protected]>
keithmattix
approved these changes
Jul 16, 2024
hzxuzhonghu
reviewed
Jul 17, 2024
| addresses := s.ClusterVIPs.GetAddressesFor(node.Metadata.ClusterID) | ||
| if (features.EnableDualStack || features.EnableAmbient) && len(addresses) > 0 { |
There was a problem hiding this comment.
donot we need to check whether pod support dual stack?
There was a problem hiding this comment.
Like a multi cluster mesh, one cluster support only ipv4, the other support dual stack
There was a problem hiding this comment.
No, this function returns addresses relevant for the cluster of the requesting proxy.
Btw. this is irrelevant in this PR, as I didn't change anything related to dual-stack.
There was a problem hiding this comment.
Yes, none of your bussiness. Just see this and indeed it is a bug
There was a problem hiding this comment.
In general, we shouldn't be making decisions based on EnableDualStack and should treat it as a deprecated field - it's almost never the correct signal to check, yes.
|
@hzxuzhonghu as you requested changes, could you clarify what do you expect to be changed? You didn't point any issue, just raised your concerns, so this is confusing. And now it only waits for your approval. |
hzxuzhonghu
approved these changes
Jul 17, 2024
| addresses := s.ClusterVIPs.GetAddressesFor(node.Metadata.ClusterID) | ||
| if (features.EnableDualStack || features.EnableAmbient) && len(addresses) > 0 { |
There was a problem hiding this comment.
Yes, none of your bussiness. Just see this and indeed it is a bug
jewertow
added
the
cherrypick/release-1.23
|
In response to a cherrypick label: new pull request created: #52148 |
2 tasks
jewertow
added
the
cherrypick/release-1.22
|
In response to a cherrypick label: #51967 failed to apply on top of branch "release-1.22": |
|
In response to a cherrypick label: new issue created for failed cherrypick: #52184 |
|
In response to a cherrypick label: new pull request could not be created: failed to create pull request against istio/istio#release-1.23 from head istio-testing:cherry-pick-51967-to-release-1.23: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for istio-testing:cherry-pick-51967-to-release-1.23."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request","status":"422"} |
jewertow
added a commit
to jewertow/upstream-istio
that referenced
this pull request
Jul 23, 2024
…1967) * networking: match multiple addresses in sidecar outbound listener Signed-off-by: Jacek Ewertowski <[email protected]> * Add unit tests for GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add a release note Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter error Signed-off-by: Jacek Ewertowski <[email protected]> * Revert removal svcExtraListenAddresses variable Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Refactoring Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSOverlapping Signed-off-by: Jacek Ewertowski <[email protected]> * Skip testServiceEntryWithMultipleVIPs in ambient mode Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSUnhealthyEndpoints Signed-off-by: Jacek Ewertowski <[email protected]> * Add test case for ServiceEntry with resolution NONE and multiple VIPs Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter errors Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Generate service with all ports Signed-off-by: Jacek Ewertowski <[email protected]> * do not create service instance for each hostname/address pair Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetExtraAddressesForProxy and revert removal of its usage from buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Fix listenerBindings.Extra() Signed-off-by: Jacek Ewertowski <[email protected]> * Handle IPv6 prefix length Signed-off-by: Jacek Ewertowski <[email protected]> * Check address' family only if a proxy supports given family Signed-off-by: Jacek Ewertowski <[email protected]> * Update a comment Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor getAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
istio-testing
pushed a commit
that referenced
this pull request
Jul 23, 2024
…stener (#52249) * networking: match multiple VIPs in sidecar outbound listener (#51967) * networking: match multiple addresses in sidecar outbound listener Signed-off-by: Jacek Ewertowski <[email protected]> * Add unit tests for GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add a release note Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter error Signed-off-by: Jacek Ewertowski <[email protected]> * Revert removal svcExtraListenAddresses variable Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Refactoring Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSOverlapping Signed-off-by: Jacek Ewertowski <[email protected]> * Skip testServiceEntryWithMultipleVIPs in ambient mode Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSUnhealthyEndpoints Signed-off-by: Jacek Ewertowski <[email protected]> * Add test case for ServiceEntry with resolution NONE and multiple VIPs Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter errors Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Generate service with all ports Signed-off-by: Jacek Ewertowski <[email protected]> * do not create service instance for each hostname/address pair Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetExtraAddressesForProxy and revert removal of its usage from buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Fix listenerBindings.Extra() Signed-off-by: Jacek Ewertowski <[email protected]> * Handle IPv6 prefix length Signed-off-by: Jacek Ewertowski <[email protected]> * Check address' family only if a proxy supports given family Signed-off-by: Jacek Ewertowski <[email protected]> * Update a comment Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor getAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]> * Revert unintentional change of a comment Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
jewertow
added a commit
to jewertow/upstream-istio
that referenced
this pull request
Jul 23, 2024
…1967) * networking: match multiple addresses in sidecar outbound listener Signed-off-by: Jacek Ewertowski <[email protected]> * Add unit tests for GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add a release note Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter error Signed-off-by: Jacek Ewertowski <[email protected]> * Revert removal svcExtraListenAddresses variable Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Refactoring Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSOverlapping Signed-off-by: Jacek Ewertowski <[email protected]> * Skip testServiceEntryWithMultipleVIPs in ambient mode Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSUnhealthyEndpoints Signed-off-by: Jacek Ewertowski <[email protected]> * Add test case for ServiceEntry with resolution NONE and multiple VIPs Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter errors Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Generate service with all ports Signed-off-by: Jacek Ewertowski <[email protected]> * do not create service instance for each hostname/address pair Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetExtraAddressesForProxy and revert removal of its usage from buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Fix listenerBindings.Extra() Signed-off-by: Jacek Ewertowski <[email protected]> * Handle IPv6 prefix length Signed-off-by: Jacek Ewertowski <[email protected]> * Check address' family only if a proxy supports given family Signed-off-by: Jacek Ewertowski <[email protected]> * Update a comment Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor getAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
This was referenced Jul 23, 2024
istio-testing
pushed a commit
that referenced
this pull request
Jul 26, 2024
…stener (#52283) * networking: match multiple VIPs in sidecar outbound listener (#51967) * networking: match multiple addresses in sidecar outbound listener Signed-off-by: Jacek Ewertowski <[email protected]> * Add unit tests for GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add a release note Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter error Signed-off-by: Jacek Ewertowski <[email protected]> * Revert removal svcExtraListenAddresses variable Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Refactoring Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSOverlapping Signed-off-by: Jacek Ewertowski <[email protected]> * Skip testServiceEntryWithMultipleVIPs in ambient mode Signed-off-by: Jacek Ewertowski <[email protected]> * Fix TestEDSUnhealthyEndpoints Signed-off-by: Jacek Ewertowski <[email protected]> * Add test case for ServiceEntry with resolution NONE and multiple VIPs Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Fix linter errors Signed-off-by: Jacek Ewertowski <[email protected]> * Fix lint error Signed-off-by: Jacek Ewertowski <[email protected]> * Generate service with all ports Signed-off-by: Jacek Ewertowski <[email protected]> * do not create service instance for each hostname/address pair Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor GetExtraAddressesForProxy and revert removal of its usage from buildSidecarOutboundListener Signed-off-by: Jacek Ewertowski <[email protected]> * Fix listenerBindings.Extra() Signed-off-by: Jacek Ewertowski <[email protected]> * Handle IPv6 prefix length Signed-off-by: Jacek Ewertowski <[email protected]> * Check address' family only if a proxy supports given family Signed-off-by: Jacek Ewertowski <[email protected]> * Update a comment Signed-off-by: Jacek Ewertowski <[email protected]> * Refactor getAllAddressesForProxy Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]> * Apply missing changes from #51939 Signed-off-by: Jacek Ewertowski <[email protected]> * networking: fix DNS auto-allocation (#52147) * Fix returning auto-allocated address Signed-off-by: Jacek Ewertowski <[email protected]> * Add an integration test Signed-off-by: Jacek Ewertowski <[email protected]> * Add missing build tag and license to dns_auto_allocation_test.go Signed-off-by: Jacek Ewertowski <[email protected]> * Fix unit tests Signed-off-by: Jacek Ewertowski <[email protected]> * Add workload selector to ProxyConfig Signed-off-by: Jacek Ewertowski <[email protected]> * Trigger injection if ProxyConfig was not propagated Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]> * Remove leftovers from conflict resolution Signed-off-by: Jacek Ewertowski <[email protected]> --------- Signed-off-by: Jacek Ewertowski <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please provide a description of this PR:
Fixes #51747
What did I change:
GetAllAddressesForProxyandGetExtraAddressesForProxyalways return all addresses for the proxy's IP family. Previously these functions were returning all addresses only whenISTIO_DUAL_STACKwas enabled.buildSidecarOutboundListenerused these functions to configure CIDR matching. These functions always returned the default address, so outbound listeners couldn't match all the addresses. Now, all CIDRs are configured for the supported IP family.convertServicescreated internal service instance for each [host, address] pair. Now, it creates an instance for each [host, address list] pair.Example:
When the following SE is applied:
and I check listeners for port 9092:
I get the following results: