Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

networking: match multiple VIPs in sidecar outbound listener #51967

Merged
merged 25 commits into from
Jul 17, 2024
Merged

networking: match multiple VIPs in sidecar outbound listener #51967

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift click to select a range
b1356eb
networking: match multiple addresses in sidecar outbound listener
jewertow Jul 9, 2024
389db0f
Add unit tests for GetAllAddressesForProxy
jewertow Jul 9, 2024
865ae50
Refactor buildSidecarOutboundListener
jewertow Jul 9, 2024
04baef7
Add an integration test
jewertow Jul 9, 2024
bebe1ac
Add a release note
jewertow Jul 9, 2024
c083686
Refactor GetAllAddressesForProxy
jewertow Jul 9, 2024
a5d793d
Fix linter error
jewertow Jul 9, 2024
b458c32
Revert removal svcExtraListenAddresses variable
jewertow Jul 9, 2024
535c2da
Fix unit tests
jewertow Jul 9, 2024
b30db4d
Refactoring
jewertow Jul 9, 2024
4ab355e
Fix TestEDSOverlapping
jewertow Jul 9, 2024
e8938d4
Skip testServiceEntryWithMultipleVIPs in ambient mode
jewertow Jul 9, 2024
8d5b979
Fix TestEDSUnhealthyEndpoints
jewertow Jul 9, 2024
936a768
Add test case for ServiceEntry with resolution NONE and multiple VIPs
jewertow Jul 10, 2024
d978091
Fix lint error
jewertow Jul 10, 2024
87beba3
Fix linter errors
jewertow Jul 10, 2024
ee73ef8
Fix lint error
jewertow Jul 10, 2024
f753f11
Generate service with all ports
jewertow Jul 15, 2024
57d7415
do not create service instance for each hostname/address pair
jewertow Jul 10, 2024
cc85553
Refactor GetExtraAddressesForProxy and revert removal of its usage fr…
jewertow Jul 15, 2024
41f54c4
Fix listenerBindings.Extra()
jewertow Jul 15, 2024
a6798b0
Handle IPv6 prefix length
jewertow Jul 15, 2024
bfcde66
Check address' family only if a proxy supports given family
jewertow Jul 16, 2024
21e0748
Update a comment
jewertow Jul 16, 2024
31b93da
Refactor getAllAddressesForProxy
jewertow Jul 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 43 additions & 8 deletions pilot/pkg/model/service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1261,22 1261,26 @@ func (s *Service) GetAddressForProxy(node *Proxy) string {
// GetExtraAddressesForProxy returns a k8s service's extra addresses to the cluster where the node resides.
// Especially for dual stack k8s service to get other IP family addresses.
func (s *Service) GetExtraAddressesForProxy(node *Proxy) []string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allowing GetExtraAddressesForProxy to return multiple addresses even in non-Dual-Stack scenarios (though all addresses will share the same family in single-stack), means the "additional-addresses codepath", previously gated behind DS or Ambient flags, could be executed more frequently.
I'm fine with that but I would suggest that we eventually reconsider exposing the DS flag to users. As it is becoming less impactful as times goes on, it may be better to enable this functionality automatically based on internal checks rather than relying on user input.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah long term I would like to remove GetExtraAddressesForProxy and the DS flag

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DS flag cannot be removed very soon. It is still alpha

if features.EnableDualStack && node.Metadata != nil {
if node.Metadata.ClusterID != "" {
addresses := s.ClusterVIPs.GetAddressesFor(node.Metadata.ClusterID)
if len(addresses) > 1 {
return addresses[1:]
}
}
addresses := s.getAllAddressesForProxy(node)
if len(addresses) > 1 {
return addresses[1:]
}
return nil
}

// GetAllAddressesForProxy returns a k8s service's extra addresses to the cluster where the node resides.
// Especially for dual stack k8s service to get other IP family addresses.
func (s *Service) GetAllAddressesForProxy(node *Proxy) []string {
if (features.EnableDualStack || features.EnableAmbient) && node.Metadata != nil && node.Metadata.ClusterID != "" {
return s.getAllAddressesForProxy(node)
}

func (s *Service) getAllAddressesForProxy(node *Proxy) []string {
if node.Metadata != nil && node.Metadata.ClusterID != "" {
addresses := s.ClusterVIPs.GetAddressesFor(node.Metadata.ClusterID)
if (features.EnableDualStack || features.EnableAmbient) && len(addresses) > 0 {
keithmattix marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

donot we need to check whether pod support dual stack?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like a multi cluster mesh, one cluster support only ipv4, the other support dual stack

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, this function returns addresses relevant for the cluster of the requesting proxy.

Btw. this is irrelevant in this PR, as I didn't change anything related to dual-stack.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, none of your bussiness. Just see this and indeed it is a bug

Copy link
Contributor

@bleggett bleggett Jul 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, we shouldn't be making decisions based on EnableDualStack and should treat it as a deprecated field - it's almost never the correct signal to check, yes.

return addresses
}
addresses = filterAddresses(addresses, node.SupportsIPv4(), node.SupportsIPv6())
if len(addresses) > 0 {
return addresses
}
Expand All @@ -1298,6 1302,37 @@ func (s *Service) getAllAddresses() []string {
return addresses
}

func filterAddresses(addresses []string, supportsV4, supportsV6 bool) []string {
var ipv4Addresses []string
var ipv6Addresses []string
for _, addr := range addresses {
// check if an address is a CIDR range
if strings.Contains(addr, "/") {
if prefix, err := netip.ParsePrefix(addr); err != nil {
log.Warnf("failed to parse prefix address '%s': %s", addr, err)
continue
} else if supportsV4 && prefix.Addr().Is4() {
ipv4Addresses = append(ipv4Addresses, addr)
} else if supportsV6 && prefix.Addr().Is6() {
ipv6Addresses = append(ipv6Addresses, addr)
}
} else {
if ipAddr, err := netip.ParseAddr(addr); err != nil {
log.Warnf("failed to parse address '%s': %s", addr, err)
continue
} else if supportsV4 && ipAddr.Is4() {
ipv4Addresses = append(ipv4Addresses, addr)
} else if supportsV6 && ipAddr.Is6() {
ipv6Addresses = append(ipv6Addresses, addr)
}
}
}
if len(ipv4Addresses) > 0 {
return ipv4Addresses
}
return ipv6Addresses
}

// GetTLSModeFromEndpointLabels returns the value of the label
// security.istio.io/tlsMode if set. Do not return Enums or constants
// from this function as users could provide values other than istio/disabled
Expand Down
117 changes: 117 additions & 0 deletions pilot/pkg/model/service_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 21,13 @@ import (
"github.com/google/go-cmp/cmp/cmpopts"
fuzz "github.com/google/gofuzz"

"istio.io/istio/pilot/pkg/features"
"istio.io/istio/pkg/cluster"
"istio.io/istio/pkg/config/constants"
"istio.io/istio/pkg/config/host"
"istio.io/istio/pkg/config/labels"
"istio.io/istio/pkg/config/visibility"
"istio.io/istio/pkg/test"
"istio.io/istio/pkg/test/util/assert"
)

Expand Down Expand Up @@ -586,3 588,118 @@ func TestParseSubsetKeyHostname(t *testing.T) {
})
}
}

func TestGetAllAddresses(t *testing.T) {
tests := []struct {
name string
service *Service
ipMode IPMode
dualStackEnabled bool
ambientEnabled bool
expectedAddresses []string
expectedExtraAddresses []string
}{
{
name: "IPv4 mode, IPv4 and IPv6 CIDR addresses, expected to return only IPv4 addresses",
service: &Service{
DefaultAddress: "10.0.0.0/28",
ClusterVIPs: AddressMap{
Addresses: map[cluster.ID][]string{
"id": {"10.0.0.0/28", "10.0.0.16/28", "::ffff:10.0.0.32/96", "::ffff:10.0.0.48/96"},
},
},
},
ipMode: IPv4,
expectedAddresses: []string{"10.0.0.0/28", "10.0.0.16/28"},
expectedExtraAddresses: []string{"10.0.0.16/28"},
},
{
name: "IPv6 mode, IPv4 and IPv6 CIDR addresses, expected to return only IPv6 addresses",
service: &Service{
DefaultAddress: "10.0.0.0/28",
ClusterVIPs: AddressMap{
Addresses: map[cluster.ID][]string{
"id": {"10.0.0.0/28", "10.0.0.16/28", "::ffff:10.0.0.32/96", "::ffff:10.0.0.48/96"},
},
},
},
ipMode: IPv6,
expectedAddresses: []string{"::ffff:10.0.0.32/96", "::ffff:10.0.0.48/96"},
expectedExtraAddresses: []string{"::ffff:10.0.0.48/96"},
},
{
name: "dual mode, ISTIO_DUAL_STACK disabled, IPv4 and IPv6 addresses, expected to return only IPv4 addresses",
service: &Service{
DefaultAddress: "10.0.0.0",
ClusterVIPs: AddressMap{
Addresses: map[cluster.ID][]string{
"id": {"10.0.0.0", "10.0.0.16", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
},
},
},
ipMode: Dual,
expectedAddresses: []string{"10.0.0.0", "10.0.0.16"},
expectedExtraAddresses: []string{"10.0.0.16"},
},
{
name: "dual mode, ISTIO_DUAL_STACK enabled, IPv4 and IPv6 addresses, expected to return only IPv4 addresses",
service: &Service{
DefaultAddress: "10.0.0.0",
ClusterVIPs: AddressMap{
Addresses: map[cluster.ID][]string{
"id": {"10.0.0.0", "10.0.0.16", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
},
},
},
ipMode: Dual,
dualStackEnabled: true,
expectedAddresses: []string{"10.0.0.0", "10.0.0.16", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
expectedExtraAddresses: []string{"10.0.0.16", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
},
{
name: "IPv4 mode, ISTIO_DUAL_STACK disabled, ambient enabled, IPv4 and IPv6 addresses, expected to return all addresses",
service: &Service{
DefaultAddress: "10.0.0.0/28",
ClusterVIPs: AddressMap{
Addresses: map[cluster.ID][]string{
"id": {"10.0.0.0/28", "10.0.0.16/28", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
},
},
},
ipMode: IPv4,
ambientEnabled: true,
expectedAddresses: []string{"10.0.0.0/28", "10.0.0.16/28", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
expectedExtraAddresses: []string{"10.0.0.16/28", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
},
{
name: "IPv6 mode, ISTIO_DUAL_STACK disabled, ambient enabled, IPv4 and IPv6 addresses, expected to return all addresses",
service: &Service{
DefaultAddress: "10.0.0.0/28",
ClusterVIPs: AddressMap{
Addresses: map[cluster.ID][]string{
"id": {"10.0.0.0/28", "10.0.0.16/28", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
},
},
},
ipMode: IPv6,
ambientEnabled: true,
expectedAddresses: []string{"10.0.0.0/28", "10.0.0.16/28", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
expectedExtraAddresses: []string{"10.0.0.16/28", "::ffff:10.0.0.32", "::ffff:10.0.0.48"},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
if tc.dualStackEnabled {
test.SetForTest(t, &features.EnableDualStack, true)
}
if tc.ambientEnabled {
test.SetForTest(t, &features.EnableAmbient, true)
}
proxy := &Proxy{Metadata: &NodeMetadata{ClusterID: "id"}, ipMode: tc.ipMode}
addresses := tc.service.GetAllAddressesForProxy(proxy)
assert.Equal(t, addresses, tc.expectedAddresses)
extraAddresses := tc.service.GetExtraAddressesForProxy(proxy)
assert.Equal(t, extraAddresses, tc.expectedExtraAddresses)
})
}
}
11 changes: 5 additions & 6 deletions pilot/pkg/networking/core/listener.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,10 264,10 @@ func (l listenerBinding) Primary() string {

// Extra returns any additional bindings. This is always empty if dual stack is disabled
func (l listenerBinding) Extra() []string {
if !features.EnableDualStack || len(l.binds) == 1 {
return nil
if len(l.binds) > 1 {
return l.binds[1:]
}
return l.binds[1:]
return nil
}

type outboundListenerEntry struct {
Expand Down Expand Up @@ -817,9 817,8 @@ func (lb *ListenerBuilder) buildSidecarOutboundListener(listenerOpts outboundLis
} else {
// Address is a CIDR. Fall back to 0.0.0.0 and
// filter chain match
// TODO: this probably needs to handle dual stack better
listenerOpts.bind.binds = actualWildcards
listenerOpts.cidr = svcListenAddress
listenerOpts.cidr = append([]string{svcListenAddress}, svcExtraListenAddresses...)
}
}
}
Expand Down Expand Up @@ -1058,7 1057,7 @@ type outboundListenerOpts struct {
proxy *model.Proxy

bind listenerBinding
cidr string
cidr []string

port *model.Port
service *model.Service
Expand Down
24 changes: 4 additions & 20 deletions pilot/pkg/networking/core/tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 100,7 @@ func hashRuntimeTLSMatchPredicates(match *v1alpha3.TLSMatchAttributes) string {
return strings.Join(match.SniHosts, ",") "|" strings.Join(match.DestinationSubnets, ",")
}

func buildSidecarOutboundTLSFilterChainOpts(node *model.Proxy, push *model.PushContext, destinationCIDR string,
func buildSidecarOutboundTLSFilterChainOpts(node *model.Proxy, push *model.PushContext, destinationCIDRs []string,
service *model.Service, bind string, listenPort *model.Port,
gateways sets.String, configs []config.Config,
) []*filterChainOpts {
Expand Down Expand Up @@ -142,11 142,7 @@ func buildSidecarOutboundTLSFilterChainOpts(node *model.Proxy, push *model.PushC
// Use the service's CIDRs.
// But if a virtual service overrides it with its own destination subnet match
// give preference to the user provided one
// destinationCIDR will be empty for services with VIPs
var destinationCIDRs []string
if destinationCIDR != "" {
destinationCIDRs = []string{destinationCIDR}
}
// destinationCIDRs will be empty for services with VIPs
// Only set CIDR match if the listener is bound to an IP.
// If its bound to a unix domain socket, then ignore the CIDR matches
// Unix domain socket bound ports have Port value set to 0
Expand Down Expand Up @@ -209,7 205,7 @@ func buildSidecarOutboundTLSFilterChainOpts(node *model.Proxy, push *model.PushC
svcListenAddress = constants.UnspecifiedIPv6
}

if len(destinationCIDR) > 0 || len(svcListenAddress) == 0 || (svcListenAddress == actualWildcard && bind == actualWildcard) {
if len(destinationCIDRs) > 0 || len(svcListenAddress) == 0 || (svcListenAddress == actualWildcard && bind == actualWildcard) {
sniHosts = []string{string(service.Hostname)}
for _, a := range service.Attributes.Aliases {
alt := GenerateAltVirtualHosts(a.Hostname.String(), 0, node.DNSDomain)
Expand All @@ -219,10 215,6 @@ func buildSidecarOutboundTLSFilterChainOpts(node *model.Proxy, push *model.PushC
}
destinationRule := CastDestinationRule(node.SidecarScope.DestinationRule(
model.TrafficDirectionOutbound, node, service.Hostname).GetRule())
var destinationCIDRs []string
if destinationCIDR != "" {
destinationCIDRs = []string{destinationCIDR}
}
out = append(out, &filterChainOpts{
sniHosts: sniHosts,
destinationCIDRs: destinationCIDRs,
Expand All @@ -234,7 226,7 @@ func buildSidecarOutboundTLSFilterChainOpts(node *model.Proxy, push *model.PushC
return out
}

func buildSidecarOutboundTCPFilterChainOpts(node *model.Proxy, push *model.PushContext, destinationCIDR string,
func buildSidecarOutboundTCPFilterChainOpts(node *model.Proxy, push *model.PushContext, destinationCIDRs []string,
service *model.Service, listenPort *model.Port,
gateways sets.String, configs []config.Config,
) []*filterChainOpts {
Expand All @@ -253,10 245,6 @@ TcpLoop:
for _, cfg := range configs {
virtualService := cfg.Spec.(*v1alpha3.VirtualService)
for _, tcp := range virtualService.Tcp {
var destinationCIDRs []string
if destinationCIDR != "" {
destinationCIDRs = []string{destinationCIDR}
}
if len(tcp.Match) == 0 {
// implicit match
out = append(out, &filterChainOpts{
Expand Down Expand Up @@ -333,10 321,6 @@ TcpLoop:
if len(push.Mesh.OutboundClusterStatName) != 0 {
statPrefix = telemetry.BuildStatPrefix(push.Mesh.OutboundClusterStatName, string(service.Hostname), "", &model.Port{Port: port}, 0, &service.Attributes)
}
var destinationCIDRs []string
if destinationCIDR != "" {
destinationCIDRs = []string{destinationCIDR}
}
out = append(out, &filterChainOpts{
destinationCIDRs: destinationCIDRs,
networkFilters: lb.buildOutboundNetworkFiltersWithSingleDestination(statPrefix, clusterName, "",
Expand Down
38 changes: 15 additions & 23 deletions pilot/pkg/serviceregistry/serviceentry/conversion.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 47,8 @@ func convertPort(port *networking.ServicePort) *model.Port {
}

type HostAddress struct {
host string
address string
host string
addresses []string
}

// ServiceToServiceEntry converts from internal Service representation to ServiceEntry
Expand Down Expand Up @@ -182,21 182,23 @@ func convertServices(cfg config.Config, clusterID cluster.ID) []*model.Service {
hostAddresses := []*HostAddress{}
for _, hostname := range serviceEntry.Hosts {
if len(serviceEntry.Addresses) > 0 {
ha := &HostAddress{hostname, []string{}}
for _, address := range serviceEntry.Addresses {
// Check if address is an IP first because that is the most common case.
// Check if addresses is an IP first because that is the most common case.
if netutil.IsValidIPAddress(address) {
hostAddresses = append(hostAddresses, &HostAddress{hostname, address})
ha.addresses = append(ha.addresses, address)
} else if cidr, cidrErr := netip.ParsePrefix(address); cidrErr == nil {
newAddress := address
if cidr.Bits() == cidr.Addr().BitLen() {
// /32 mask. Remove the /32 and make it a normal IP address
// /32 mask. Remove the /32 and make it a normal IP addresses
newAddress = cidr.Addr().String()
}
hostAddresses = append(hostAddresses, &HostAddress{hostname, newAddress})
ha.addresses = append(ha.addresses, newAddress)
}
}
hostAddresses = append(hostAddresses, ha)
} else {
hostAddresses = append(hostAddresses, &HostAddress{hostname, constants.UnspecifiedIP})
hostAddresses = append(hostAddresses, &HostAddress{hostname, []string{constants.UnspecifiedIP}})
}
}

Expand All @@ -210,7 212,7 @@ func convertServices(cfg config.Config, clusterID cluster.ID) []*model.Service {
CreationTime: creationTime,
MeshExternal: serviceEntry.Location == networking.ServiceEntry_MESH_EXTERNAL,
Hostname: host.Name(ha.host),
DefaultAddress: ha.address,
DefaultAddress: ha.addresses[0],
Ports: svcPorts,
Resolution: resolution,
Attributes: model.ServiceAttributes{
Expand All @@ -223,20 225,10 @@ func convertServices(cfg config.Config, clusterID cluster.ID) []*model.Service {
LabelSelectors: labelSelectors,
},
ServiceAccounts: serviceEntry.SubjectAltNames,
}
addresses := serviceEntry.Addresses
if len(addresses) == 0 {
addresses = []string{constants.UnspecifiedIP}
}
// This logic ensures backward compatibility for non-ambient proxies.
// It makes sure that the default address is always the first VIP in the list, so there is no difference
// between using DefaultAddress or ClusterVIPs[0] to create a listener.
notDefaultAddresses := sets.New[string](addresses...).Delete(ha.address)
addresses = []string{ha.address}
addresses = append(addresses, sets.SortedList(notDefaultAddresses)...)
svc.ClusterVIPs = model.AddressMap{
Addresses: map[cluster.ID][]string{
clusterID: addresses,
ClusterVIPs: model.AddressMap{
Addresses: map[cluster.ID][]string{
clusterID: ha.addresses,
},
},
}
out = append(out, svc)
Expand Down Expand Up @@ -436,7 428,7 @@ func (s *Controller) convertWorkloadEntryToWorkloadInstance(cfg config.Config, c
dnsServiceEntryOnly = true
}
if addr != "" && !netutil.IsValidIPAddress(addr) {
// k8s can't use workloads with hostnames in the address field.
// k8s can't use workloads with hostnames in the addresses field.
dnsServiceEntryOnly = true
}
tlsMode := getTLSModeFromWorkloadEntry(we)
Expand Down
Loading