Adding Alpn for TCP metadata exchange support#20126
Adding Alpn for TCP metadata exchange support#20126istio-testing merged 1 commit intoistio:masterfrom
Conversation
|
@yxue @diemtvu please review per @gargnupur s email. Thanks. |
There was a problem hiding this comment.
Why changing the TLS context for gateway?
There was a problem hiding this comment.
Thanks for pointing.. removing
|
Pay attention to upgrades please. What happens if a 1.4 proxy gets this config and tries to talk to another 1.4 proxy that hasn't gotten this config? |
|
My initial thoughts is that we should only use this ALPN for proxy 1.5. If one of the client or server is using proxies with other versions, the metadata exchange filters will keep silent since one of them doesn't provide ALPN "istio-peer-exchange". |
|
@rshriram Should we put this behind a feature flag, in this case on by default? |
|
@gargnupur we also need integration/e2e tests with this pr. |
I think we should put the code behind the feature flag as @mandarjog pointed out which is controlled by both the proxy version and some feature flag to prevent the scenario that Pilot sends the configuration with metadata exchange filter to 1.4 proxy. Examples: istio/pilot/pkg/networking/util/util.go Line 272 in f6d396f |
9baecbe to
9c90327
Compare
There was a problem hiding this comment.
istio_requests_total is a http metric. I think a TCP metric is supposed to be tested here?
There was a problem hiding this comment.
istio_requests_total is for both http and tcp now. It has protocol field that differentiates between the two.
There was a problem hiding this comment.
Why aren't we following what we have right now? https://istio.io/docs/reference/config/policy-and-telemetry/metrics/ Our dashboard built on the assumption about the categorization of the metrics. And I think there would be user's customized dashboard based on this assumption too. I looked into proxy's code and looks like we are actually not reporting those four tcp metrics?
There was a problem hiding this comment.
We added TCP as protocol in existing metrics.. I can make a change to proxy first and then here to match what we had for 1.4..
There was a problem hiding this comment.
Thanks.. Added a TODO for the same.
There was a problem hiding this comment.
Can you lower case the package name as well as 'TCP' in path?
There was a problem hiding this comment.
Why not verify source side telemetry?
There was a problem hiding this comment.
Because we don't get client complete destination info in client side telemetry yet because of envoyproxy/envoy-wasm#291. Will add once this bug is fixed
There was a problem hiding this comment.
Please add a todo here as well to install these filters via istioctl.
There was a problem hiding this comment.
Unrelated change? If you want to disable mixer, you should set up operator values:
There was a problem hiding this comment.
Remove this? I don't think you need to instantiate a mixer instance.
|
/test gencheck_istio |
There was a problem hiding this comment.
there seems quite some duplicate in this if/else, at least for comments.
There was a problem hiding this comment.
this flag is default off and the effect only are showed in this particular test, right? might worth to try a default on (WIP pr, no need for merge) to see if other features like permissive or sniffing still works from CI tests running results
There was a problem hiding this comment.
Have a PR for turning this default on.. #20258 (will work to fix the conflicts from it)
Regarding permissive or sniffing related tests, they should get ALPN on by default because that is dependent on value of PILOT_ENABLE_TCP_METADATA_EXCHANGE which is default on. This test, tests the mixer v2 part of it.
There was a problem hiding this comment.
Could this be a problem if the clients of this server has not upgraded?
There was a problem hiding this comment.
It should not be because, then ALPN won't match and metadata exchange won't get enabled.
pilot/pkg/features/pilot.go
Outdated
There was a problem hiding this comment.
So it's true by default in 1.5? Could it cause troubles for upgrade path? (some servers have switched to the new ALPN but others might haven't)
There was a problem hiding this comment.
It should not be because, then ALPN won't match and metadata exchange won't get enabled.
There was a problem hiding this comment.
I mean if the server side was enabled, but some clients haven't, then does traffic will get into the (catch-all) filter chain? It my understanding, just want to confirm.
There was a problem hiding this comment.
So this is for TCP only.. so it should get into TCP specific filter chain only...
@yxue : that sound right, right?
… when using mTLS Update based on config Fix tests Trying to fix tests Just do for TCP Enable Metadata Exchange for TCP when mTLS is on cleanup cleanup Fixing lint errors and running make gen Fix make gen Running make gen after rebase Fix license file Add option to enable metadata exchange Fix licensing file Add e2e test Fix e2e test Fix e2e test Fix tests Fix cleanup Fix based on feedback Add meta exc config to filter_types.go Run make gen Using INSERT_BEFORE to adding metadata exchange filter in the top of the list Fix spacing nit Fixed based on feedback Fixed based on feedback Fixed based on feedback Fixed dup in comments
d46b6d6 to
a19b474
Compare
|
Can you rebase this PR please? (and then |
|
/hold cancel NM, already happened |
|
|
||
| replace github.com/Azure/go-autorest => github.com/Azure/go-autorest v13.2.0+incompatible | ||
|
|
||
| replace github.com/istio.io/proxy/src/envoy/tcp/metadata_exchange/config v0.0.0 => ./pilot/pkg/metadata_exchange |
There was a problem hiding this comment.
Why we are doing this? Either import from pilot directly or import from istio.io/proxy?
If this is actually intended, and not just a WIP like previously indicated, can we at least comment why since its not intuitive at all
Turn on v2 telemetry on by default for http and tcp THIS IS PENDING TOC APPROVAL For TCP this will use Alpn based prefixed tunelling metadata exchange -> pending istio#20126 Followed @howardjohn's PR istio#20225 for this. Fixed based on feedback Fix bad rebase Trying to fix bas rebase again Trying to fix bas rebase again Trying to fix bas rebase again
Turn on v2 telemetry on by default for http and tcp THIS IS PENDING TOC APPROVAL For TCP this will use Alpn based prefixed tunelling metadata exchange -> pending istio#20126 Followed @howardjohn's PR istio#20225 for this. Fixed based on feedback Fix bad rebase Trying to fix bas rebase again Trying to fix bas rebase again Trying to fix bas rebase again fix assets file Running Make Gen Running Make Gen after changes to values.yaml Set telemetry component to false Add EnvoyFilter for TCP Run Make gen again Enable mixer in mixer tests Fix Unit test
* add option Turn on v2 telemetry on by default for http and tcp THIS IS PENDING TOC APPROVAL For TCP this will use Alpn based prefixed tunelling metadata exchange -> pending #20126 Followed @howardjohn's PR #20225 for this. Fixed based on feedback Fix bad rebase Trying to fix bas rebase again Trying to fix bas rebase again Trying to fix bas rebase again fix assets file Running Make Gen Running Make Gen after changes to values.yaml Set telemetry component to false Add EnvoyFilter for TCP Run Make gen again Enable mixer in mixer tests Fix Unit test * Run make gen
* add option Turn on v2 telemetry on by default for http and tcp THIS IS PENDING TOC APPROVAL For TCP this will use Alpn based prefixed tunelling metadata exchange -> pending istio#20126 Followed @howardjohn's PR istio#20225 for this. Fixed based on feedback Fix bad rebase Trying to fix bas rebase again Trying to fix bas rebase again Trying to fix bas rebase again fix assets file Running Make Gen Running Make Gen after changes to values.yaml Set telemetry component to false Add EnvoyFilter for TCP Run Make gen again Enable mixer in mixer tests Fix Unit test * Run make gen (cherry picked from commit a24f595)
* add option Turn on v2 telemetry on by default for http and tcp THIS IS PENDING TOC APPROVAL For TCP this will use Alpn based prefixed tunelling metadata exchange -> pending #20126 Followed @howardjohn's PR #20225 for this. Fixed based on feedback Fix bad rebase Trying to fix bas rebase again Trying to fix bas rebase again Trying to fix bas rebase again fix assets file Running Make Gen Running Make Gen after changes to values.yaml Set telemetry component to false Add EnvoyFilter for TCP Run Make gen again Enable mixer in mixer tests Fix Unit test * Run make gen (cherry picked from commit a24f595) Co-authored-by: Nupur Garg <37600866+gargnupur@users.noreply.github.com>
This PR is by @gargnupur
Please specifically review DownstreamTlsContext we add istio-peer-exchange as the first one in order along with http and for UpstreamTlsContext, add istio-peer-exchange with istio for TCP.
Doc for ref: https://docs.google.com/document/d/1s6ou__qRL4UiWY1amyk5p8YzOMQvBhfR15o1U_ZLIow/edit#heading=h.7zgnj8bwqfld