SNI routing from sidecar to gateway with virtual services#6402
Merged
rshriram merged 44 commits intoistio:masterfrom Jul 3, 2018
Merged
SNI routing from sidecar to gateway with virtual services#6402rshriram merged 44 commits intoistio:masterfrom
rshriram merged 44 commits intoistio:masterfrom
Conversation
GregHanson
reviewed
Jun 19, 2018
| @@ -0,0 +1,128 @@ | |||
| package v1alpha3 | |||
Contributor
|
I don't think we should overload protocol specifications in VirtS like this. Looking at the sample you can't actually differentiate between routing TCP traffic and routing tcp-over-tls-via-SNI traffic. This lack of specificity is likely to be dangerous. I'd rather we create a separate stanza for 'tcp-tls' in VirtualService to explicitly handle this protocol form. We're going to need to create stanzas for other protocols going forward so this shouldn't be such a big deal. This would also line up with |
Contributor
Author
|
Refactoring to use istio/api#546... |
Codecov Report
@@ Coverage Diff @@
## master #6402 +/- ##
=======================================
- Coverage 71% 71% -<1%
=======================================
Files 367 369 +2
Lines 31956 32001 +45
=======================================
- Hits 22575 22513 -62
- Misses 8457 8574 +117
+ Partials 924 914 -10
Continue to review full report at Codecov.
|
Contributor
|
@ijsnellf I created a PR to document HTTPS-egress-gateway istio/istio.io#1579, see the From what I see:
|
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
Contributor
|
Could you include / paste xDS generated with this change? |
Member
|
which mode? with SNI or with just plain tcp proxy? |
Contributor
|
@rshriram both would be great ;) |
Member
{
"version_info": "2018-07-03 13:43:05.9141201 +0000 UTC m=+93.376140292",
"listener": {
"name": "0.0.0.0_19090",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 19090
}
},
"filter_chains": [
{
"filters": [
{
"name": "mixer",
"config": {
"transport": {
"check_cluster": "outbound|9091||istio-policy.istio-system.svc.cluster.local",
"network_fail_policy": {
"policy": "FAIL_CLOSE"
},
"report_cluster": "outbound|9091||istio-telemetry.istio-system.svc.cluster.local",
"attributes_for_mixer_proxy": {
"attributes": {
"source.uid": {
"string_value": "kubernetes://a-675595579f-sdjxx.istio-system"
}
}
}
},
"disable_check_calls": true,
"mixer_attributes": {
"attributes": {
"destination.service": {
"string_value": "headless.istio-system.svc.cluster.local"
},
"source.uid": {
"string_value": "kubernetes://a-675595579f-sdjxx.istio-system"
},
"source.namespace": {
"string_value": "istio-system"
},
"destination.service.host": {
"string_value": "headless.istio-system.svc.cluster.local"
},
"context.reporter.kind": {
"string_value": "outbound"
},
"context.reporter.uid": {
"string_value": "kubernetes://a-675595579f-sdjxx.istio-system"
}
}
}
}
},{
"name": "envoy.tcp_proxy",
"config": {
"stat_prefix": "outbound|19090||headless.istio-system.svc.cluster.local",
"cluster": "outbound|19090||headless.istio-system.svc.cluster.local"
}
}
]
}
],
"deprecated_v1": {
"bind_to_port": false
}
},TCP proxy |
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
costinm
reviewed
Jul 3, 2018
| // listeners | ||
| if len(opts.filterChainOpts) == 0 { | ||
| log.Warnf("buildGatewayListeners: No filter chain options for gateway (possibly missing virtual services)") | ||
| return []*xdsapi.Listener{}, nil |
costinm
reviewed
Jul 3, 2018
| if err != nil { | ||
| log.Errora("Failed to get services from registry") | ||
| return []*filterChainOpts{} | ||
| return nil |
Contributor
There was a problem hiding this comment.
Metric as well - errors are not visible to users, metrics may show on dashboard.
costinm
reviewed
Jul 3, 2018
| rdsName := model.GatewayRDSRouteName(servers[0]) | ||
| routeCfg := configgen.buildGatewayInboundHTTPRouteConfig(env, node, nameToServiceMap, gatewayNames, servers, rdsName) | ||
| if routeCfg == nil { | ||
| log.Debugf("omitting HTTP listeners for port %d filter chain due to no routes", servers[0].Port) |
Contributor
|
@rshriram no filter chain match? |
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
Member
|
Filter chain match for TCP proxy is useless, as it only supports SNI. Will get you SNI routing in a few moments.. |
added 2 commits
July 3, 2018 17:13
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
Member
|
SNI routing via egress gateway |
Member
|
SNI routing via gateway, sidecar config |
Collaborator
|
@ijsnellf: The following tests failed, say
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
added 3 commits
July 3, 2018 18:04
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
Member
|
merging.. All tests passed. CLA bot stuck |
rshriram
added a commit
that referenced
this pull request
Jul 4, 2018
* fix bug so that destination.service.** attributes are collected (#6801) * remove unnecessary generated attributes finding. (#6785) * modify docker template files for proxyv2 (#6790) * Long-running testing improvements (#6800) * Add values for config map settings, including access log. More docs. * Updates and improvements for the stress-testing configs. * Add values for config map settings, including access log. (#6797) * Add values for config map settings, including access log. More docs. * Updates and improvements for the stress-testing configs. * Address review comments * Merged wrong files * Add the setup helm file - this change now depend on the previous PR. * Sync with remote, remove accidentally added files. * Another accidental file * SNI routing from sidecar to gateway with virtual services (#6402) * quick sni matching 1st pass with no refactoring of existing code * use shriram's api sha * quick pass at using tls block * add some validation * copyright * fix lint + remove deadcode * rename protocol tcp_tls -> tls * update back to istio/api master * remove accidentally added test file * add tls block to gateway logic * add todos * basic sni wildcard implementation * add tcp, fix problems with rbac, matching * better tcp + tls validation * address code review comments * remove out of date comment * update comments * fix compile error * use tcp proxy in tcp routing * add tcp routing e2e test * add forgotten vs config file + update description of test * Comments, bug fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * cleanup gateway tcp test Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * moving networking test yamls Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tcp/tls tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * yaml fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix file switcheroo * port matches Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix authN plugin overwriting TLS context Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more tests - route via egress gateway Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * yaml fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * initialize prom variables Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * split tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * final test fix hopefully Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * revert gateway tweaks Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
istio-testing
pushed a commit
that referenced
this pull request
Jul 7, 2018
* Introducing mcpc, a command-line mcp client tool. (#6715) * Set default requests cpu resource to all deployments (#6229) * Set default requests cpu resource to all deployments * Description added * Requested CPU decreased to meet test env node capacity * Setting requested cpu to 10m as most k8s platforms are defaulting to 0m * Merge master remains * Apply the global resources to the new gateways * Updated goldens to cpu 10m * Clean up and rename the global default resources * Redundant Redis servers were removed + defer in a loop is not recommended. (#6768) * Fix upgrade. (#6792) * Fix upgrade. * Format * Move back the fail close - not clear if we have time to get mixer client in this build, we can remove in next * Add configuration to allow transformation of durations to integers. (#5416) The fluentd handler currently transforms durations to their string representation for log messages. This commit adds a configuration to override this default behaviour and tranform durations to integers of unit millisecond. * Add workload and service dashboard (#6789) * Add workload and service dashboard * fix typo * Skip service dash e2e test for now * Add rushed, missed workload dash * Touch up * Commenting out test until can replicate locally and fix * simplify fmt script (#6798) * simplify fmt script - goimports is a superset of gofmt - shouldn't need to remove spaces - now utilizing -l flag to tell us if there is a diff * always update gofmt to latest * spacing that is now considered incorrect * support hash based routing for soft session affinity (#6742) * support sticky sessions * fmt :( * update servicediscovery fakes * bump istio/api * use updated api for ring hash * support session affinity for sidecar * update destination rule yaml to reflect new api * ttl is a string * unset sdsUdsPath in configmap (#6799) * fix bug so that destination.service.** attributes are collected (#6801) * remove unnecessary generated attributes finding. (#6785) * modify docker template files for proxyv2 (#6790) * Long-running testing improvements (#6800) * Add values for config map settings, including access log. More docs. * Updates and improvements for the stress-testing configs. * Add values for config map settings, including access log. (#6797) * Add values for config map settings, including access log. More docs. * Updates and improvements for the stress-testing configs. * Address review comments * Merged wrong files * Add the setup helm file - this change now depend on the previous PR. * Sync with remote, remove accidentally added files. * Another accidental file * SNI routing from sidecar to gateway with virtual services (#6402) * quick sni matching 1st pass with no refactoring of existing code * use shriram's api sha * quick pass at using tls block * add some validation * copyright * fix lint + remove deadcode * rename protocol tcp_tls -> tls * update back to istio/api master * remove accidentally added test file * add tls block to gateway logic * add todos * basic sni wildcard implementation * add tcp, fix problems with rbac, matching * better tcp + tls validation * address code review comments * remove out of date comment * update comments * fix compile error * use tcp proxy in tcp routing * add tcp routing e2e test * add forgotten vs config file + update description of test * Comments, bug fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * cleanup gateway tcp test Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * moving networking test yamls Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tcp/tls tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * yaml fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix file switcheroo * port matches Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * fix authN plugin overwriting TLS context Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * more tests - route via egress gateway Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * yaml fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * initialize prom variables Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * split tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * final test fix hopefully Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * revert gateway tweaks Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Add myself back to OWNERS, sort the list alphabetically. (#6830) * Upload cloudfoundry test result to GCS (#6829) * Fix typos in command-line output.
This was referenced Jul 13, 2018
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds basic SNI routing with matching of
sourceLabelsandmeshbut no L4 attributes. Virtual service hosts must exist in the registry and the match port and destination ports must match.The aim is to be able to support forcing traffic through the egress gateway using SNI.