[Galley] Adding ServiceEntry synthesis

[nmittler]

Added a new custom projection that is subscribed to events for k8s Pods, Nodes, Services and Endpoints. These events are absorbed and do not become part of the snapshot. Instead, synthetic ServiceEntry resources are generated and become part of the snapshot.

Partially addresses #10497 and #10589

[nmittler]

@ozevren @ayj I've moved the code reorg into a separate PR so they don't pollute this one: #11325

Let's get agreement there first ... then I'll rebase and we can review this.

[ayj]

Is it worth using the k8s defined constants for these labels?

https://github.com/kubernetes/kubernetes/blob/56735065400825d03f8e8f1a546c7a7b5ba9c5fd/pkg/kubelet/apis/well_known_labels.go#L27-L29?

[nmittler]

done

[ayj]

It might be nice for these constants to be accessible by Pilot so we don't need to redefine them (e.g. see here).

[nmittler]

as discussed offline ... I'll remove the custom collection here in favor of just reusing the existing ServiceEntry collection. Pilot will know that these are special since: 1) it will have to create a client that listens on a different group (not "default") and 2) We'll add a special annotation to indicate that the ServiceEntry is synthetic.

[costinm]

And duplicating the constants is less of a problem than introducing a dependency.

[sdake]

@nmittler I understand this PR is WIP. Looks pretty good already! How do you plan to enable this for the operator? ENV variable, config flag? How do you enable this PR in your local env (e.g. if I wanted to eval the PR, how would I?)

Cheers
-steve

[nmittler]

@sdake

@nmittler I understand this PR is WIP. Looks pretty good already! How do you plan to enable this for the operator? ENV variable, config flag? How do you enable this PR in your local env (e.g. if I wanted to eval the PR, how would I?)

Currently, the new flow will be enabled at the source end. I've previously introduced a new flag that filters creation of sources for certain types. By default, this new functionality is "off", since the default filter excludes Pods, Nodes, Endpoints, and Services.

@ozevren @ayj anything to add here?

[rshriram]

is this okay to merge? Would like some ack from galley team

[ozevren]

Looked at this before the last update with benchmarks, lgtm. I'll take a look again for the recent changes. As for getting this in, I don't think this is part of the PR short list @duderino is keeping for 1.1 though.

[ozevren]

Minor nit: if you use t.Run(...) equivalent of b here, then you don't need to reset timer. It should also account memory allocations only within the context of the lambda.

[nmittler]

I'm just not sure what the test name should be in that case. I'd rather err on the side of a clear test name here.

[ozevren]

Can you make these data driven? It looks like there is an opportunity to set the right data model here for adding more variations of the test.

[nmittler]

we can revisit once we have a second data set.

[ozevren]

Not a problem with your checkin in particular, but do the ns and serviceAccount need to be escaped?

[nmittler]

I'm not sure.

@quanjielin @wattli may have more

[nmittler]

@ozevren PTAL ... added one more commit, which adds an integration-level benchmark

[nmittler]

/test e2e-mixer-no_auth

[nmittler]

@ozevren PTAL

[ozevren]

Can we just simply set the debug log level as part of init and not worry about resetting it? Would make the test code cleaner.

[nmittler]

I considered that, but I'd rather not interfere with other tests.

[nmittler]

/test istio-pilot-e2e-envoyv2-v1alpha3

[istio-testing]

@nmittler: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
prow/e2e-simpleTests-cni.sh	99ffdbf	link	/test e2e-simpleTests-cni
prow/istio-integ-k8s-tests.sh	99ffdbf	link	/test istio-integ-k8s-tests
prow/e2e_pilotv2_auth_sds.sh	99ffdbf	link	/test istio_auth_sds_e2e

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[andraxylia]

The new file synthetic/serviceEntry contains in fact k8s nodes, pods, services and it is under networking/v1alpha3.

I was expecting that directory to contain only Istio APIs and serviceEntry.yaml to contain maybe some examples of generated ServiceEntry.

The KRMs should be somewhere else, maybe in the file-system adapter?

[nmittler]

@andraxylia

The new file synthetic/serviceEntry contains in fact k8s nodes, pods, services and it is under networking/v1alpha3.

I was expecting that directory to contain only Istio APIs and serviceEntry.yaml to contain maybe some examples of generated ServiceEntry.

It doesn't really matter much where these files go. I chose to put it under v1alpha3 because it generates a v1alpha3 proto. AFAIK there's not really a pattern established where input and output are from different packages.

The KRMs should be somewhere else, maybe in the file-system adapter?

Again, I don't entirely agree .... and it doesn't really matter much.

[andraxylia]

It may not matter, but it is confusing, so please rename the file from serviceEntry.yaml to something else like krm.yaml (Kubernetes Resource Model). The directory networking/v1alpha3 should also contain examples for user-defined ServiceEntries, those belong in a file called serviceEntry.yaml. Please add tests for user-defined serviceEntries for external services (it can be separate PR).

[nmittler]

Closing this in favor of #12409 (against the master branch)