Google Git
Sign in
apache / dubbo-go-pixiu / de9f1befd6a6e38513ea5e704a5488ed608df7d5 / . / pilot / pkg / model / push_context.go
blob: 9c31fdcb7ff0adfd51b18bd4dabac96fe18d6bd6 [file] [log] [blame]
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package model
import (
"encoding/json"
"fmt"
"math"
"sort"
"strconv"
"strings"
"sync"
"time"
)
import (
"go.uber.org/atomic"
extensions "istio.io/api/extensions/v1alpha1"
meshconfig "istio.io/api/mesh/v1alpha1"
networking "istio.io/api/networking/v1alpha3"
"istio.io/pkg/monitoring"
"k8s.io/apimachinery/pkg/types"
)
import (
"github.com/apache/dubbo-go-pixiu/pilot/pkg/features"
"github.com/apache/dubbo-go-pixiu/pkg/cluster"
"github.com/apache/dubbo-go-pixiu/pkg/config"
"github.com/apache/dubbo-go-pixiu/pkg/config/constants"
"github.com/apache/dubbo-go-pixiu/pkg/config/host"
"github.com/apache/dubbo-go-pixiu/pkg/config/labels"
"github.com/apache/dubbo-go-pixiu/pkg/config/protocol"
"github.com/apache/dubbo-go-pixiu/pkg/config/schema/gvk"
"github.com/apache/dubbo-go-pixiu/pkg/config/visibility"
"github.com/apache/dubbo-go-pixiu/pkg/util/sets"
)
// Metrics is an interface for capturing metrics on a per-node basis.
type Metrics interface {
// AddMetric will add an case to the metric for the given node.
AddMetric(metric monitoring.Metric, key string, proxyID, msg string)
}
var _ Metrics = &PushContext{}
// serviceIndex is an index of all services by various fields for easy access during push.
type serviceIndex struct {
// privateByNamespace are services that can reachable within the same namespace, with exportTo "."
privateByNamespace map[string][]*Service
// public are services reachable within the mesh with exportTo "*"
public []*Service
// exportedToNamespace are services that were made visible to this namespace
// by an exportTo explicitly specifying this namespace.
exportedToNamespace map[string][]*Service
// HostnameAndNamespace has all services, indexed by hostname then namespace.
HostnameAndNamespace map[host.Name]map[string]*Service `json:"-"`
// instancesByPort contains a map of service key and instances by port. It is stored here
// to avoid recomputations during push. This caches instanceByPort calls with empty labels.
// Call InstancesByPort directly when instances need to be filtered by actual labels.
instancesByPort map[string]map[int][]*ServiceInstance
}
func newServiceIndex() serviceIndex {
return serviceIndex{
public: []*Service{},
privateByNamespace: map[string][]*Service{},
exportedToNamespace: map[string][]*Service{},
HostnameAndNamespace: map[host.Name]map[string]*Service{},
instancesByPort: map[string]map[int][]*ServiceInstance{},
}
}
// exportToDefaults contains the default exportTo values.
type exportToDefaults struct {
service map[visibility.Instance]bool
virtualService map[visibility.Instance]bool
destinationRule map[visibility.Instance]bool
}
// virtualServiceIndex is the index of virtual services by various fields.
type virtualServiceIndex struct {
exportedToNamespaceByGateway map[string]map[string][]config.Config
// this contains all the virtual services with exportTo "." and current namespace. The keys are namespace,gateway.
privateByNamespaceAndGateway map[string]map[string][]config.Config
// This contains all virtual services whose exportTo is "*", keyed by gateway
publicByGateway map[string][]config.Config
// root vs namespace/name ->delegate vs virtualservice gvk/namespace/name
delegates map[ConfigKey][]ConfigKey
}
func newVirtualServiceIndex() virtualServiceIndex {
return virtualServiceIndex{
publicByGateway: map[string][]config.Config{},
privateByNamespaceAndGateway: map[string]map[string][]config.Config{},
exportedToNamespaceByGateway: map[string]map[string][]config.Config{},
delegates: map[ConfigKey][]ConfigKey{},
}
}
// destinationRuleIndex is the index of destination rules by various fields.
type destinationRuleIndex struct {
// namespaceLocal contains all public/private dest rules pertaining to a service defined in a given namespace.
namespaceLocal map[string]*consolidatedDestRules
// exportedByNamespace contains all dest rules pertaining to a service exported by a namespace.
exportedByNamespace map[string]*consolidatedDestRules
rootNamespaceLocal *consolidatedDestRules
// mesh/namespace dest rules to be inherited
inheritedByNamespace map[string]*consolidatedDestRule
}
func newDestinationRuleIndex() destinationRuleIndex {
return destinationRuleIndex{
namespaceLocal: map[string]*consolidatedDestRules{},
exportedByNamespace: map[string]*consolidatedDestRules{},
inheritedByNamespace: map[string]*consolidatedDestRule{},
}
}
// sidecarIndex is the index of sidecar rules
type sidecarIndex struct {
// sidecars for each namespace
sidecarsByNamespace map[string][]*SidecarScope
// the Sidecar for the root namespace (if present). This applies to any namespace without its own Sidecar.
rootConfig *config.Config
// computedSidecarsByNamespace contains the default sidecar for namespaces that do not have a sidecar.
// These may be DefaultSidecarScopeForNamespace if rootConfig is empty or ConvertToSidecarScope if not.
// These are lazy-loaded. Access protected by defaultSidecarMu
computedSidecarsByNamespace map[string]*SidecarScope
// gatewayDefaultSidecarsByNamespace contains the default sidecar for namespaces that do not have a sidecar,
// for gateways.
// Unlike computedSidecarsByNamespace, this is *always* the output of DefaultSidecarScopeForNamespace.
// These are lazy-loaded. Access protected by defaultSidecarMu
gatewayDefaultSidecarsByNamespace map[string]*SidecarScope
defaultSidecarMu *sync.Mutex
}
func newSidecarIndex() sidecarIndex {
return sidecarIndex{
sidecarsByNamespace: map[string][]*SidecarScope{},
computedSidecarsByNamespace: map[string]*SidecarScope{},
gatewayDefaultSidecarsByNamespace: map[string]*SidecarScope{},
defaultSidecarMu: &sync.Mutex{},
}
}
// gatewayIndex is the index of gateways by various fields.
type gatewayIndex struct {
// namespace contains gateways by namespace.
namespace map[string][]config.Config
// all contains all gateways.
all []config.Config
}
func newGatewayIndex() gatewayIndex {
return gatewayIndex{
namespace: map[string][]config.Config{},
all: []config.Config{},
}
}
// serviceMetadataIndex is the index of service metadata by various fields.
type serviceMetadataIndex struct {
namespace map[string][]*config.Config
applicationNameByNamespace map[string]map[string]*config.Config
all []*config.Config
}
func newServiceMetadataIndex() serviceMetadataIndex {
return serviceMetadataIndex{
namespace: map[string][]*config.Config{},
applicationNameByNamespace: map[string]map[string]*config.Config{},
all: []*config.Config{},
}
}
// serviceNameMappingIndex is the index of Service Name Mapping by various fields.
type serviceNameMappingIndex struct {
// namespace contains Service Name Mapping by namespace.
namespace map[string][]*config.Config
// interface by namespace
interfaceByNamespace map[string]map[string]*config.Config
// all contains all Service Name Mapping.
all []*config.Config
}
func newServiceNameMappingIndex() serviceNameMappingIndex {
return serviceNameMappingIndex{
namespace: map[string][]*config.Config{},
interfaceByNamespace: map[string]map[string]*config.Config{},
all: []*config.Config{},
}
}
// PushContext tracks the status of a push - metrics and errors.
// Metrics are reset after a push - at the beginning all
// values are zero, and when push completes the status is reset.
// The struct is exposed in a debug endpoint - fields public to allow
// easy serialization as json.
type PushContext struct {
proxyStatusMutex sync.RWMutex
// ProxyStatus is keyed by the error code, and holds a map keyed
// by the ID.
ProxyStatus map[string]map[string]ProxyPushStatus
// Synthesized from env.Mesh
exportToDefaults exportToDefaults
// ServiceIndex is the index of services by various fields.
ServiceIndex serviceIndex
// ServiceAccounts contains a map of hostname and port to service accounts.
ServiceAccounts map[host.Name]map[int][]string `json:"-"`
// virtualServiceIndex is the index of virtual services by various fields.
virtualServiceIndex virtualServiceIndex
// destinationRuleIndex is the index of destination rules by various fields.
destinationRuleIndex destinationRuleIndex
// gatewayIndex is the index of gateways.
gatewayIndex gatewayIndex
// clusterLocalHosts extracted from the MeshConfig
clusterLocalHosts ClusterLocalHosts
// sidecarIndex stores sidecar resources
sidecarIndex sidecarIndex
// serviceMetadataIndex stores service metadata resources
serviceMetadataIndex serviceMetadataIndex
// serviceNameMappingIndex is the index of service name mapping.
serviceNameMappingIndex serviceNameMappingIndex
// envoy filters for each namespace including global config namespace
envoyFiltersByNamespace map[string][]*EnvoyFilterWrapper
// wasm plugins for each namespace including global config namespace
wasmPluginsByNamespace map[string][]*WasmPluginWrapper
// AuthnPolicies contains Authn policies by namespace.
AuthnPolicies *AuthenticationPolicies `json:"-"`
// AuthzPolicies stores the existing authorization policies in the cluster. Could be nil if there
// are no authorization policies in the cluster.
AuthzPolicies *AuthorizationPolicies `json:"-"`
// Telemetry stores the existing Telemetry resources for the cluster.
Telemetry *Telemetries `json:"-"`
// ProxyConfig stores the existing ProxyConfig resources for the cluster.
ProxyConfigs *ProxyConfigs `json:"-"`
// The following data is either a global index or used in the inbound path.
// Namespace specific views do not apply here.
// Mesh configuration for the mesh.
Mesh *meshconfig.MeshConfig `json:"-"`
// PushVersion describes the push version this push context was computed for
PushVersion string
// LedgerVersion is the version of the configuration ledger
LedgerVersion string
// JwtKeyResolver holds a reference to the JWT key resolver instance.
JwtKeyResolver *JwksResolver
// GatewayAPIController holds a reference to the gateway API controller.
GatewayAPIController GatewayController
// cache gateways addresses for each network
// this is mainly used for kubernetes multi-cluster scenario
networkMgr *NetworkManager
InitDone atomic.Bool
initializeMutex sync.Mutex
}
type consolidatedDestRules struct {
// Map of dest rule host to the list of namespaces to which this destination rule has been exported to
exportTo map[host.Name]map[visibility.Instance]bool
// Map of dest rule host and the merged destination rules for that host
destRules map[host.Name][]*consolidatedDestRule
}
// consolidatedDestRule represents a dr and from which it is consolidated.
type consolidatedDestRule struct {
// rule is merged from the following destinationRules.
rule *config.Config
// the original dest rules from which above rule is merged.
from []types.NamespacedName
}
// XDSUpdater is used for direct updates of the xDS model and incremental push.
// Pilot uses multiple registries - for example each K8S cluster is a registry
// instance. Each registry is responsible for tracking a set
// of endpoints associated with mesh services, and calling the EDSUpdate on changes.
// A registry may group endpoints for a service in smaller subsets - for example by
// deployment, or to deal with very large number of endpoints for a service. We want
// to avoid passing around large objects - like full list of endpoints for a registry,
// or the full list of endpoints for a service across registries, since it limits
// scalability.
//
// Future optimizations will include grouping the endpoints by labels, gateway or region to
// reduce the time when subsetting or split-horizon is used. This design assumes pilot
// tracks all endpoints in the mesh and they fit in RAM - so limit is few M endpoints.
// It is possible to split the endpoint tracking in future.
type XDSUpdater interface {
// EDSUpdate is called when the list of endpoints or labels in a Service is changed.
// For each cluster and hostname, the full list of active endpoints (including empty list)
// must be sent. The shard name is used as a key - current implementation is using the
// registry name.
EDSUpdate(shard ShardKey, hostname string, namespace string, entry []*IstioEndpoint)
// EDSCacheUpdate is called when the list of endpoints or labels in a Service is changed.
// For each cluster and hostname, the full list of active endpoints (including empty list)
// must be sent. The shard name is used as a key - current implementation is using the
// registry name.
// Note: the difference with `EDSUpdate` is that it only update the cache rather than requesting a push
EDSCacheUpdate(shard ShardKey, hostname string, namespace string, entry []*IstioEndpoint)
// SvcUpdate is called when a service definition is updated/deleted.
SvcUpdate(shard ShardKey, hostname string, namespace string, event Event)
// ConfigUpdate is called to notify the XDS server of config updates and request a push.
// The requests may be collapsed and throttled.
ConfigUpdate(req *PushRequest)
// ProxyUpdate is called to notify the XDS server to send a push to the specified proxy.
// The requests may be collapsed and throttled.
ProxyUpdate(clusterID cluster.ID, ip string)
// RemoveShard removes all endpoints for the given shard key
RemoveShard(shardKey ShardKey)
}
// PushRequest defines a request to push to proxies
// It is used to send updates to the config update debouncer and pass to the PushQueue.
type PushRequest struct {
// Full determines whether a full push is required or not. If false, an incremental update will be sent.
// Incremental pushes:
// * Do not recompute the push context
// * Do not recompute proxy state (such as ServiceInstances)
// * Are not reported in standard metrics such as push time
// As a result, configuration updates should never be incremental. Generally, only EDS will set this, but
// in the future SDS will as well.
Full bool
// ConfigsUpdated keeps track of configs that have changed.
// This is used as an optimization to avoid unnecessary pushes to proxies that are scoped with a Sidecar.
// If this is empty, then all proxies will get an update.
// Otherwise only proxies depend on these configs will get an update.
// The kind of resources are defined in pkg/config/schemas.
ConfigsUpdated map[ConfigKey]struct{}
// Push stores the push context to use for the update. This may initially be nil, as we will
// debounce changes before a PushContext is eventually created.
Push *PushContext
// Start represents the time a push was started. This represents the time of adding to the PushQueue.
// Note that this does not include time spent debouncing.
Start time.Time
// Reason represents the reason for requesting a push. This should only be a fixed set of values,
// to avoid unbounded cardinality in metrics. If this is not set, it may be automatically filled in later.
// There should only be multiple reasons if the push request is the result of two distinct triggers, rather than
// classifying a single trigger as having multiple reasons.
Reason []TriggerReason
// Delta defines the resources that were added or removed as part of this push request.
// This is set only on requests from the client which change the set of resources they (un)subscribe from.
Delta ResourceDelta
}
// ResourceDelta records the difference in requested resources by an XDS client
type ResourceDelta struct {
// Subscribed indicates the client requested these additional resources
Subscribed sets.Set
// Unsubscribed indicates the client no longer requires these resources
Unsubscribed sets.Set
}
func (rd ResourceDelta) IsEmpty() bool {
return len(rd.Subscribed) == 0 && len(rd.Unsubscribed) == 0
}
type TriggerReason string
// If adding a new reason, update xds/monitoring.go:triggerMetric
const (
// EndpointUpdate describes a push triggered by an Endpoint change
EndpointUpdate TriggerReason = "endpoint"
// ConfigUpdate describes a push triggered by a config (generally and Istio CRD) change.
ConfigUpdate TriggerReason = "config"
// ServiceUpdate describes a push triggered by a Service change
ServiceUpdate TriggerReason = "service"
// ProxyUpdate describes a push triggered by a change to an individual proxy (such as label change)
ProxyUpdate TriggerReason = "proxy"
// GlobalUpdate describes a push triggered by a change to global config, such as mesh config
GlobalUpdate TriggerReason = "global"
// UnknownTrigger describes a push triggered by an unknown reason
UnknownTrigger TriggerReason = "unknown"
// DebugTrigger describes a push triggered for debugging
DebugTrigger TriggerReason = "debug"
// SecretTrigger describes a push triggered for a Secret change
SecretTrigger TriggerReason = "secret"
// NetworksTrigger describes a push triggered for Networks change
NetworksTrigger TriggerReason = "networks"
// ProxyRequest describes a push triggered based on proxy request
ProxyRequest TriggerReason = "proxyrequest"
// NamespaceUpdate describes a push triggered by a Namespace change
NamespaceUpdate TriggerReason = "namespace"
// ClusterUpdate describes a push triggered by a Cluster change
ClusterUpdate TriggerReason = "cluster"
)
// Merge two update requests together
// Merge behaves similarly to a list append; usage should in the form `a = a.merge(b)`.
// Importantly, Merge may decide to allocate a new PushRequest object or reuse the existing one - both
// inputs should not be used after completion.
func (pr *PushRequest) Merge(other *PushRequest) *PushRequest {
if pr == nil {
return other
}
if other == nil {
return pr
}
// Keep the first (older) start time
// Merge the two reasons. Note that we shouldn't deduplicate here, or we would under count
pr.Reason = append(pr.Reason, other.Reason...)
// If either is full we need a full push
pr.Full = pr.Full || other.Full
// The other push context is presumed to be later and more up to date
if other.Push != nil {
pr.Push = other.Push
}
// Do not merge when any one is empty
if len(pr.ConfigsUpdated) == 0 || len(other.ConfigsUpdated) == 0 {
pr.ConfigsUpdated = nil
} else {
for conf := range other.ConfigsUpdated {
pr.ConfigsUpdated[conf] = struct{}{}
}
}
return pr
}
// CopyMerge two update requests together. Unlike Merge, this will not mutate either input.
// This should be used when we are modifying a shared PushRequest (typically any time it's in the context
// of a single proxy)
func (pr *PushRequest) CopyMerge(other *PushRequest) *PushRequest {
if pr == nil {
return other
}
if other == nil {
return pr
}
var reason []TriggerReason
if len(pr.Reason)+len(other.Reason) > 0 {
reason = make([]TriggerReason, 0, len(pr.Reason)+len(other.Reason))
reason = append(reason, pr.Reason...)
reason = append(reason, other.Reason...)
}
merged := &PushRequest{
// Keep the first (older) start time
Start: pr.Start,
// If either is full we need a full push
Full: pr.Full || other.Full,
// The other push context is presumed to be later and more up to date
Push: other.Push,
// Merge the two reasons. Note that we shouldn't deduplicate here, or we would under count
Reason: reason,
}
// Do not merge when any one is empty
if len(pr.ConfigsUpdated) > 0 && len(other.ConfigsUpdated) > 0 {
merged.ConfigsUpdated = make(map[ConfigKey]struct{}, len(pr.ConfigsUpdated)+len(other.ConfigsUpdated))
for conf := range pr.ConfigsUpdated {
merged.ConfigsUpdated[conf] = struct{}{}
}
for conf := range other.ConfigsUpdated {
merged.ConfigsUpdated[conf] = struct{}{}
}
}
return merged
}
func (pr *PushRequest) PushReason() string {
if len(pr.Reason) == 1 && pr.Reason[0] == ProxyRequest {
return " request"
}
return ""
}
// ProxyPushStatus represents an event captured during config push to proxies.
// It may contain additional message and the affected proxy.
type ProxyPushStatus struct {
Proxy string `json:"proxy,omitempty"`
Message string `json:"message,omitempty"`
}
// AddMetric will add an case to the metric.
func (ps *PushContext) AddMetric(metric monitoring.Metric, key string, proxyID, msg string) {
if ps == nil {
log.Infof("Metric without context %s %v %s", key, proxyID, msg)
return
}
ps.proxyStatusMutex.Lock()
defer ps.proxyStatusMutex.Unlock()
metricMap, f := ps.ProxyStatus[metric.Name()]
if !f {
metricMap = map[string]ProxyPushStatus{}
ps.ProxyStatus[metric.Name()] = metricMap
}
ev := ProxyPushStatus{Message: msg, Proxy: proxyID}
metricMap[key] = ev
}
var (
// EndpointNoPod tracks endpoints without an associated pod. This is an error condition, since
// we can't figure out the labels. It may be a transient problem, if endpoint is processed before
// pod.
EndpointNoPod = monitoring.NewGauge(
"endpoint_no_pod",
"Endpoints without an associated pod.",
)
// ProxyStatusNoService represents proxies not selected by any service
// This can be normal - for workloads that act only as client, or are not covered by a Service.
// It can also be an error, for example in cases the Endpoint list of a service was not updated by the time
// the sidecar calls.
// Updated by GetProxyServiceInstances
ProxyStatusNoService = monitoring.NewGauge(
"pilot_no_ip",
"Pods not found in the endpoint table, possibly invalid.",
)
// ProxyStatusEndpointNotReady represents proxies found not be ready.
// Updated by GetProxyServiceInstances. Normal condition when starting
// an app with readiness, error if it doesn't change to 0.
ProxyStatusEndpointNotReady = monitoring.NewGauge(
"pilot_endpoint_not_ready",
"Endpoint found in unready state.",
)
// ProxyStatusConflictOutboundListenerTCPOverHTTP metric tracks number of
// wildcard TCP listeners that conflicted with existing wildcard HTTP listener on same port
ProxyStatusConflictOutboundListenerTCPOverHTTP = monitoring.NewGauge(
"pilot_conflict_outbound_listener_tcp_over_current_http",
"Number of conflicting wildcard tcp listeners with current wildcard http listener.",
)
// ProxyStatusConflictOutboundListenerTCPOverTCP metric tracks number of
// TCP listeners that conflicted with existing TCP listeners on same port
ProxyStatusConflictOutboundListenerTCPOverTCP = monitoring.NewGauge(
"pilot_conflict_outbound_listener_tcp_over_current_tcp",
"Number of conflicting tcp listeners with current tcp listener.",
)
// ProxyStatusConflictOutboundListenerHTTPOverTCP metric tracks number of
// wildcard HTTP listeners that conflicted with existing wildcard TCP listener on same port
ProxyStatusConflictOutboundListenerHTTPOverTCP = monitoring.NewGauge(
"pilot_conflict_outbound_listener_http_over_current_tcp",
"Number of conflicting wildcard http listeners with current wildcard tcp listener.",
)
// ProxyStatusConflictInboundListener tracks cases of multiple inbound
// listeners - 2 services selecting the same port of the pod.
ProxyStatusConflictInboundListener = monitoring.NewGauge(
"pilot_conflict_inbound_listener",
"Number of conflicting inbound listeners.",
)
// DuplicatedClusters tracks duplicate clusters seen while computing CDS
DuplicatedClusters = monitoring.NewGauge(
"pilot_duplicate_envoy_clusters",
"Duplicate envoy clusters caused by service entries with same hostname",
)
// DNSNoEndpointClusters tracks dns clusters without endpoints
DNSNoEndpointClusters = monitoring.NewGauge(
"pilot_dns_cluster_without_endpoints",
"DNS clusters without endpoints caused by the endpoint field in "+
"STRICT_DNS type cluster is not set or the corresponding subset cannot select any endpoint",
)
// ProxyStatusClusterNoInstances tracks clusters (services) without workloads.
ProxyStatusClusterNoInstances = monitoring.NewGauge(
"pilot_eds_no_instances",
"Number of clusters without instances.",
)
// DuplicatedDomains tracks rejected VirtualServices due to duplicated hostname.
DuplicatedDomains = monitoring.NewGauge(
"pilot_vservice_dup_domain",
"Virtual services with dup domains.",
)
// DuplicatedSubsets tracks duplicate subsets that we rejected while merging multiple destination rules for same host
DuplicatedSubsets = monitoring.NewGauge(
"pilot_destrule_subsets",
"Duplicate subsets across destination rules for same host",
)
// totalVirtualServices tracks the total number of virtual service
totalVirtualServices = monitoring.NewGauge(
"pilot_virt_services",
"Total virtual services known to pilot.",
)
// LastPushStatus preserves the metrics and data collected during lasts global push.
// It can be used by debugging tools to inspect the push event. It will be reset after each push with the
// new version.
LastPushStatus *PushContext
// LastPushMutex will protect the LastPushStatus
LastPushMutex sync.Mutex
// All metrics we registered.
metrics = []monitoring.Metric{
EndpointNoPod,
ProxyStatusNoService,
ProxyStatusEndpointNotReady,
ProxyStatusConflictOutboundListenerTCPOverHTTP,
ProxyStatusConflictOutboundListenerTCPOverTCP,
ProxyStatusConflictOutboundListenerHTTPOverTCP,
ProxyStatusConflictInboundListener,
DuplicatedClusters,
ProxyStatusClusterNoInstances,
DuplicatedDomains,
DuplicatedSubsets,
}
)
func init() {
for _, m := range metrics {
monitoring.MustRegister(m)
}
monitoring.MustRegister(totalVirtualServices)
}
// NewPushContext creates a new PushContext structure to track push status.
func NewPushContext() *PushContext {
return &PushContext{
ServiceIndex: newServiceIndex(),
virtualServiceIndex: newVirtualServiceIndex(),
destinationRuleIndex: newDestinationRuleIndex(),
sidecarIndex: newSidecarIndex(),
envoyFiltersByNamespace: map[string][]*EnvoyFilterWrapper{},
gatewayIndex: newGatewayIndex(),
ProxyStatus: map[string]map[string]ProxyPushStatus{},
ServiceAccounts: map[host.Name]map[int][]string{},
serviceMetadataIndex: newServiceMetadataIndex(),
serviceNameMappingIndex: newServiceNameMappingIndex(),
}
}
// AddPublicServices adds the services to context public services - mainly used in tests.
func (ps *PushContext) AddPublicServices(services []*Service) {
ps.ServiceIndex.public = append(ps.ServiceIndex.public, services...)
}
// AddServiceInstances adds instances to the context service instances - mainly used in tests.
func (ps *PushContext) AddServiceInstances(service *Service, instances map[int][]*ServiceInstance) {
svcKey := service.Key()
for port, inst := range instances {
if _, exists := ps.ServiceIndex.instancesByPort[svcKey]; !exists {
ps.ServiceIndex.instancesByPort[svcKey] = make(map[int][]*ServiceInstance)
}
ps.ServiceIndex.instancesByPort[svcKey][port] = append(ps.ServiceIndex.instancesByPort[svcKey][port], inst...)
}
}
// StatusJSON implements json.Marshaller, with a lock.
func (ps *PushContext) StatusJSON() ([]byte, error) {
if ps == nil {
return []byte{'{', '}'}, nil
}
ps.proxyStatusMutex.RLock()
defer ps.proxyStatusMutex.RUnlock()
return json.MarshalIndent(ps.ProxyStatus, "", " ")
}
// OnConfigChange is called when a config change is detected.
func (ps *PushContext) OnConfigChange() {
LastPushMutex.Lock()
LastPushStatus = ps
LastPushMutex.Unlock()
ps.UpdateMetrics()
}
// UpdateMetrics will update the prometheus metrics based on the
// current status of the push.
func (ps *PushContext) UpdateMetrics() {
ps.proxyStatusMutex.RLock()
defer ps.proxyStatusMutex.RUnlock()
for _, pm := range metrics {
mmap := ps.ProxyStatus[pm.Name()]
pm.Record(float64(len(mmap)))
}
}
// It is called after virtual service short host name is resolved to FQDN
func virtualServiceDestinationHosts(v *networking.VirtualService) []string {
if v == nil {
return nil
}
var out []string
for _, h := range v.Http {
for _, r := range h.Route {
if r.Destination != nil {
out = append(out, r.Destination.Host)
}
}
if h.Mirror != nil {
out = append(out, h.Mirror.Host)
}
}
for _, t := range v.Tcp {
for _, r := range t.Route {
if r.Destination != nil {
out = append(out, r.Destination.Host)
}
}
}
for _, t := range v.Tls {
for _, r := range t.Route {
if r.Destination != nil {
out = append(out, r.Destination.Host)
}
}
}
return out
}
// GatewayServices returns the set of services which are referred from the proxy gateways.
func (ps *PushContext) GatewayServices(proxy *Proxy) []*Service {
svcs := proxy.SidecarScope.services
// MergedGateway will be nil when there are no configs in the
// system during initial installation.
if proxy.MergedGateway == nil {
return nil
}
// host set.
hostsFromGateways := sets.New()
for _, gw := range proxy.MergedGateway.GatewayNameForServer {
for _, vsConfig := range ps.VirtualServicesForGateway(proxy.ConfigNamespace, gw) {
vs, ok := vsConfig.Spec.(*networking.VirtualService)
if !ok { // should never happen
log.Errorf("Failed in getting a virtual service: %v", vsConfig.Labels)
return svcs
}
for _, host := range virtualServiceDestinationHosts(vs) {
hostsFromGateways.Insert(host)
}
}
}
hostsFromMeshConfig := getHostsFromMeshConfig(ps)
hostsFromGateways.Merge(hostsFromMeshConfig)
log.Debugf("GatewayServices: gateway %v is exposing these hosts:%v", proxy.ID, hostsFromGateways)
gwSvcs := make([]*Service, 0, len(svcs))
for _, s := range svcs {
svcHost := string(s.Hostname)
if _, ok := hostsFromGateways[svcHost]; ok {
gwSvcs = append(gwSvcs, s)
}
}
log.Debugf("GatewayServices:: gateways len(services)=%d, len(filtered)=%d", len(svcs), len(gwSvcs))
return gwSvcs
}
// add services from MeshConfig.ExtensionProviders
// TODO: include cluster from EnvoyFilter such as global ratelimit [demo](https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/#global-rate-limit)
func getHostsFromMeshConfig(ps *PushContext) sets.Set {
hostsFromMeshConfig := sets.New()
for _, prov := range ps.Mesh.ExtensionProviders {
switch p := prov.Provider.(type) {
case *meshconfig.MeshConfig_ExtensionProvider_EnvoyExtAuthzHttp:
hostsFromMeshConfig.Insert(p.EnvoyExtAuthzHttp.Service)
case *meshconfig.MeshConfig_ExtensionProvider_EnvoyExtAuthzGrpc:
hostsFromMeshConfig.Insert(p.EnvoyExtAuthzGrpc.Service)
case *meshconfig.MeshConfig_ExtensionProvider_Zipkin:
hostsFromMeshConfig.Insert(p.Zipkin.Service)
case *meshconfig.MeshConfig_ExtensionProvider_Lightstep:
hostsFromMeshConfig.Insert(p.Lightstep.Service)
case *meshconfig.MeshConfig_ExtensionProvider_Datadog:
hostsFromMeshConfig.Insert(p.Datadog.Service)
case *meshconfig.MeshConfig_ExtensionProvider_Opencensus:
hostsFromMeshConfig.Insert(p.Opencensus.Service)
case *meshconfig.MeshConfig_ExtensionProvider_Skywalking:
hostsFromMeshConfig.Insert(p.Skywalking.Service)
case *meshconfig.MeshConfig_ExtensionProvider_EnvoyHttpAls:
hostsFromMeshConfig.Insert(p.EnvoyHttpAls.Service)
case *meshconfig.MeshConfig_ExtensionProvider_EnvoyTcpAls:
hostsFromMeshConfig.Insert(p.EnvoyTcpAls.Service)
case *meshconfig.MeshConfig_ExtensionProvider_EnvoyOtelAls:
hostsFromMeshConfig.Insert(p.EnvoyOtelAls.Service)
}
}
return hostsFromMeshConfig
}
// servicesExportedToNamespace returns the list of services that are visible to a namespace.
// namespace "" indicates all namespaces
func (ps *PushContext) servicesExportedToNamespace(ns string) []*Service {
out := make([]*Service, 0)
// First add private services and explicitly exportedTo services
if ns == NamespaceAll {
for _, privateServices := range ps.ServiceIndex.privateByNamespace {
out = append(out, privateServices...)
}
} else {
out = append(out, ps.ServiceIndex.privateByNamespace[ns]...)
out = append(out, ps.ServiceIndex.exportedToNamespace[ns]...)
}
// Second add public services
out = append(out, ps.ServiceIndex.public...)
return out
}
// GetAllServices returns the total services within the mesh.
// Note: per proxy services should use SidecarScope.Services.
func (ps *PushContext) GetAllServices() []*Service {
return ps.servicesExportedToNamespace(NamespaceAll)
}
// ServiceForHostname returns the service associated with a given hostname following SidecarScope
func (ps *PushContext) ServiceForHostname(proxy *Proxy, hostname host.Name) *Service {
if proxy != nil && proxy.SidecarScope != nil {
return proxy.SidecarScope.servicesByHostname[hostname]
}
// SidecarScope shouldn't be null here. If it is, we can't disambiguate the hostname to use for a namespace,
// so the selection must be undefined.
for _, service := range ps.ServiceIndex.HostnameAndNamespace[hostname] {
return service
}
// No service found
return nil
}
// IsServiceVisible returns true if the input service is visible to the given namespace.
func (ps *PushContext) IsServiceVisible(service *Service, namespace string) bool {
if service == nil {
return false
}
ns := service.Attributes.Namespace
if len(service.Attributes.ExportTo) == 0 {
if ps.exportToDefaults.service[visibility.Private] {
return ns == namespace
} else if ps.exportToDefaults.service[visibility.Public] {
return true
}
}
return service.Attributes.ExportTo[visibility.Public] ||
(service.Attributes.ExportTo[visibility.Private] && ns == namespace) ||
service.Attributes.ExportTo[visibility.Instance(namespace)]
}
// VirtualServicesForGateway lists all virtual services bound to the specified gateways
// This replaces store.VirtualServices. Used only by the gateways
// Sidecars use the egressListener.VirtualServices().
func (ps *PushContext) VirtualServicesForGateway(proxyNamespace, gateway string) []config.Config {
res := make([]config.Config, 0, len(ps.virtualServiceIndex.privateByNamespaceAndGateway[proxyNamespace][gateway])+
len(ps.virtualServiceIndex.exportedToNamespaceByGateway[proxyNamespace][gateway])+
len(ps.virtualServiceIndex.publicByGateway[gateway]))
res = append(res, ps.virtualServiceIndex.privateByNamespaceAndGateway[proxyNamespace][gateway]...)
res = append(res, ps.virtualServiceIndex.exportedToNamespaceByGateway[proxyNamespace][gateway]...)
res = append(res, ps.virtualServiceIndex.publicByGateway[gateway]...)
return res
}
func (ps *PushContext) ServiceNameMappingsByNameSpaceAndInterfaceName(proxyNamespace, interfaceName string) *config.Config {
if namespace, exists := ps.serviceNameMappingIndex.interfaceByNamespace[proxyNamespace]; exists {
if snp, exists := namespace[interfaceName]; exists {
return snp
}
}
return nil
}
// DelegateVirtualServicesConfigKey lists all the delegate virtual services configkeys associated with the provided virtual services
func (ps *PushContext) DelegateVirtualServicesConfigKey(vses []config.Config) []ConfigKey {
var out []ConfigKey
for _, vs := range vses {
out = append(out, ps.virtualServiceIndex.delegates[ConfigKey{Kind: gvk.VirtualService, Namespace: vs.Namespace, Name: vs.Name}]...)
}
return out
}
// getSidecarScope returns a SidecarScope object associated with the
// proxy. The SidecarScope object is a semi-processed view of the service
// registry, and config state associated with the sidecar crd. The scope contains
// a set of inbound and outbound listeners, services/configs per listener,
// etc. The sidecar scopes are precomputed in the initSidecarContext
// function based on the Sidecar API objects in each namespace. If there is
// no sidecar api object, a default sidecarscope is assigned to the
// namespace which enables connectivity to all services in the mesh.
//
// Callers can check if the sidecarScope is from user generated object or not
// by checking the sidecarScope.Config field, that contains the user provided config
func (ps *PushContext) getSidecarScope(proxy *Proxy, workloadLabels labels.Instance) *SidecarScope {
// Find the most specific matching sidecar config from the proxy's
// config namespace If none found, construct a sidecarConfig on the fly
// that allows the sidecar to talk to any namespace (the default
// behavior in the absence of sidecars).
if sidecars, ok := ps.sidecarIndex.sidecarsByNamespace[proxy.ConfigNamespace]; ok {
// TODO: logic to merge multiple sidecar resources
// Currently we assume that there will be only one sidecar config for a namespace.
if proxy.Type == Router {
for _, wrapper := range sidecars {
// Gateways should just have a default scope with egress: */*
if wrapper.Sidecar == nil {
return wrapper
}
}
}
if proxy.Type == SidecarProxy {
for _, wrapper := range sidecars {
if wrapper.Sidecar != nil {
sidecar := wrapper.Sidecar
// if there is no workload selector, the config applies to all workloads
// if there is a workload selector, check for matching workload labels
if sidecar.GetWorkloadSelector() != nil {
workloadSelector := labels.Instance(sidecar.GetWorkloadSelector().GetLabels())
// exclude workload selector that not match
if !workloadSelector.SubsetOf(workloadLabels) {
continue
}
}
// it is guaranteed sidecars with selectors are put in front
// and the sidecars are sorted by creation timestamp,
// return exact/wildcard matching one directly
return wrapper
}
// this happens at last, it is the default sidecar scope
return wrapper
}
}
}
// We didn't have a Sidecar in the namespace. This means we should use the default - either an implicit
// default selecting everything, or pulling from the root namespace.
ps.sidecarIndex.defaultSidecarMu.Lock()
defer ps.sidecarIndex.defaultSidecarMu.Unlock()
if proxy.Type == Router {
sc, f := ps.sidecarIndex.gatewayDefaultSidecarsByNamespace[proxy.ConfigNamespace]
if f {
// We have already computed the scope for this namespace, just fetch it
return sc
}
computed := DefaultSidecarScopeForNamespace(ps, proxy.ConfigNamespace)
ps.sidecarIndex.gatewayDefaultSidecarsByNamespace[proxy.ConfigNamespace] = computed
return computed
}
sc, f := ps.sidecarIndex.computedSidecarsByNamespace[proxy.ConfigNamespace]
if f {
// We have already computed the scope for this namespace, just fetch it
return sc
}
// We need to compute this namespace
var computed *SidecarScope
if ps.sidecarIndex.rootConfig != nil {
computed = ConvertToSidecarScope(ps, ps.sidecarIndex.rootConfig, proxy.ConfigNamespace)
} else {
computed = DefaultSidecarScopeForNamespace(ps, proxy.ConfigNamespace)
// Even though we are a sidecar, we can store this as a gateway one since it could be used by a gateway
ps.sidecarIndex.gatewayDefaultSidecarsByNamespace[proxy.ConfigNamespace] = computed
}
ps.sidecarIndex.computedSidecarsByNamespace[proxy.ConfigNamespace] = computed
return computed
}
// destinationRule returns a destination rule for a service name in a given namespace.
func (ps *PushContext) destinationRule(proxyNameSpace string, service *Service) []*consolidatedDestRule {
if service == nil {
return nil
}
// If the proxy config namespace is same as the root config namespace
// look for dest rules in the service's namespace first. This hack is needed
// because sometimes, dubbo-system tends to become the root config namespace.
// Destination rules are defined here for global purposes. We do not want these
// catch all destination rules to be the only dest rule, when processing CDS for
// proxies like the istio-ingressgateway or istio-egressgateway.
// If there are no service specific dest rules, we will end up picking up the same
// rules anyway, later in the code
// 1. select destination rule from proxy config namespace
if proxyNameSpace != ps.Mesh.RootNamespace {
// search through the DestinationRules in proxy's namespace first
if ps.destinationRuleIndex.namespaceLocal[proxyNameSpace] != nil {
if hostname, ok := MostSpecificHostMatch(service.Hostname,
ps.destinationRuleIndex.namespaceLocal[proxyNameSpace].destRules,
); ok {
return ps.destinationRuleIndex.namespaceLocal[proxyNameSpace].destRules[hostname]
}
}
} else {
// If this is a namespace local DR in the same namespace, this must be meant for this proxy, so we do not
// need to worry about overriding other DRs with *.local type rules here. If we ignore this, then exportTo=. in
// root namespace would always be ignored
if hostname, ok := MostSpecificHostMatch(service.Hostname,
ps.destinationRuleIndex.rootNamespaceLocal.destRules,
); ok {
return ps.destinationRuleIndex.rootNamespaceLocal.destRules[hostname]
}
}
// 2. select destination rule from service namespace
svcNs := service.Attributes.Namespace
// This can happen when finding the subset labels for a proxy in root namespace.
// Because based on a pure cluster's fqdn, we do not know the service and
// construct a fake service without setting Attributes at all.
if svcNs == "" {
for _, svc := range ps.servicesExportedToNamespace(proxyNameSpace) {
if service.Hostname == svc.Hostname && svc.Attributes.Namespace != "" {
svcNs = svc.Attributes.Namespace
break
}
}
}
// 3. if no private/public rule matched in the calling proxy's namespace,
// check the target service's namespace for exported rules
if svcNs != "" {
if out := ps.getExportedDestinationRuleFromNamespace(svcNs, service.Hostname, proxyNameSpace); out != nil {
return out
}
}
// 4. if no public/private rule in calling proxy's namespace matched, and no public rule in the
// target service's namespace matched, search for any exported destination rule in the config root namespace
if out := ps.getExportedDestinationRuleFromNamespace(ps.Mesh.RootNamespace, service.Hostname, proxyNameSpace); out != nil {
return out
}
// 5. service DestinationRules were merged in SetDestinationRules, return mesh/namespace rules if present
if features.EnableDestinationRuleInheritance {
// return namespace rule if present
if out := ps.destinationRuleIndex.inheritedByNamespace[proxyNameSpace]; out != nil {
return []*consolidatedDestRule{out}
}
// return mesh rule
if out := ps.destinationRuleIndex.inheritedByNamespace[ps.Mesh.RootNamespace]; out != nil {
return []*consolidatedDestRule{out}
}
}
return nil
}
func (ps *PushContext) getExportedDestinationRuleFromNamespace(owningNamespace string, hostname host.Name, clientNamespace string) []*consolidatedDestRule {
if ps.destinationRuleIndex.exportedByNamespace[owningNamespace] != nil {
if specificHostname, ok := MostSpecificHostMatch(hostname,
ps.destinationRuleIndex.exportedByNamespace[owningNamespace].destRules,
); ok {
// Check if the dest rule for this host is actually exported to the proxy's (client) namespace
exportToMap := ps.destinationRuleIndex.exportedByNamespace[owningNamespace].exportTo[specificHostname]
if len(exportToMap) == 0 || exportToMap[visibility.Public] || exportToMap[visibility.Instance(clientNamespace)] {
if features.EnableDestinationRuleInheritance {
var parent *consolidatedDestRule
// client inherits global DR from its own namespace, not from the exported DR's owning namespace
// grab the client namespace DR or mesh if none exists
if parent = ps.destinationRuleIndex.inheritedByNamespace[clientNamespace]; parent == nil {
parent = ps.destinationRuleIndex.inheritedByNamespace[ps.Mesh.RootNamespace]
}
var inheritedDrList []*consolidatedDestRule
for _, child := range ps.destinationRuleIndex.exportedByNamespace[owningNamespace].destRules[specificHostname] {
inheritedDr := ps.inheritDestinationRule(parent, child)
if inheritedDr != nil {
inheritedDrList = append(inheritedDrList, inheritedDr)
}
}
return inheritedDrList
}
if dr, ok := ps.destinationRuleIndex.exportedByNamespace[owningNamespace].destRules[specificHostname]; ok {
return dr
}
}
}
}
return nil
}
func (ps *PushContext) ServiceMetadata(namespace, applicationName, revision string) *config.Config {
if conf, ok := ps.serviceMetadataIndex.applicationNameByNamespace[namespace][strings.ToLower(fmt.Sprintf("%s-%s", applicationName, revision))]; ok {
return conf
}
return nil
}
// IsClusterLocal indicates whether the endpoints for the service should only be accessible to clients
// within the cluster.
func (ps *PushContext) IsClusterLocal(service *Service) bool {
if service == nil {
return false
}
return ps.clusterLocalHosts.IsClusterLocal(service.Hostname)
}
// InitContext will initialize the data structures used for code generation.
// This should be called before starting the push, from the thread creating
// the push context.
func (ps *PushContext) InitContext(env *Environment, oldPushContext *PushContext, pushReq *PushRequest) error {
// Acquire a lock to ensure we don't concurrently initialize the same PushContext.
// If this does happen, one thread will block then exit early from InitDone=true
ps.initializeMutex.Lock()
defer ps.initializeMutex.Unlock()
if ps.InitDone.Load() {
return nil
}
ps.Mesh = env.Mesh()
ps.LedgerVersion = env.Version()
// Must be initialized first
// as initServiceRegistry/VirtualServices/Destrules
// use the default export map
ps.initDefaultExportMaps()
// create new or incremental update
if pushReq == nil || oldPushContext == nil || !oldPushContext.InitDone.Load() || len(pushReq.ConfigsUpdated) == 0 {
if err := ps.createNewContext(env); err != nil {
return err
}
} else {
if err := ps.updateContext(env, oldPushContext, pushReq); err != nil {
return err
}
}
ps.networkMgr = env.NetworkManager
ps.clusterLocalHosts = env.ClusterLocal().GetClusterLocalHosts()
ps.InitDone.Store(true)
return nil
}
func (ps *PushContext) createNewContext(env *Environment) error {
if err := ps.initServiceRegistry(env); err != nil {
return err
}
if err := ps.initKubernetesGateways(env); err != nil {
return err
}
if err := ps.initVirtualServices(env); err != nil {
return err
}
if err := ps.initDestinationRules(env); err != nil {
return err
}
if err := ps.initAuthnPolicies(env); err != nil {
return err
}
if err := ps.initAuthorizationPolicies(env); err != nil {
authzLog.Errorf("failed to initialize authorization policies: %v", err)
return err
}
if err := ps.initTelemetry(env); err != nil {
return err
}
if err := ps.initProxyConfigs(env); err != nil {
return err
}
if err := ps.initWasmPlugins(env); err != nil {
return err
}
if err := ps.initEnvoyFilters(env); err != nil {
return err
}
if err := ps.initGateways(env); err != nil {
return err
}
if err := ps.initServiceMetadata(env); err != nil {
return err
}
// Must be initialized in the end
if err := ps.initSidecarScopes(env); err != nil {
return err
}
// service name mapping context init
if err := ps.initServiceNameMappings(env); err != nil {
return err
}
return nil
}
func (ps *PushContext) updateContext(
env *Environment,
oldPushContext *PushContext,
pushReq *PushRequest) error {
var servicesChanged, virtualServicesChanged, destinationRulesChanged, gatewayChanged,
authnChanged, authzChanged, envoyFiltersChanged, sidecarsChanged, telemetryChanged, gatewayAPIChanged,
wasmPluginsChanged, proxyConfigsChanged, servicenamemappingsChanged bool
for conf := range pushReq.ConfigsUpdated {
switch conf.Kind {
case gvk.ServiceEntry:
servicesChanged = true
case gvk.DestinationRule:
destinationRulesChanged = true
case gvk.VirtualService:
virtualServicesChanged = true
case gvk.Gateway:
gatewayChanged = true
case gvk.Sidecar:
sidecarsChanged = true
case gvk.WasmPlugin:
wasmPluginsChanged = true
case gvk.EnvoyFilter:
envoyFiltersChanged = true
case gvk.AuthorizationPolicy:
authzChanged = true
case gvk.RequestAuthentication,
gvk.PeerAuthentication:
authnChanged = true
case gvk.HTTPRoute, gvk.TCPRoute, gvk.GatewayClass, gvk.KubernetesGateway, gvk.TLSRoute, gvk.ReferencePolicy:
gatewayAPIChanged = true
// VS and GW are derived from gatewayAPI, so if it changed we need to update those as well
virtualServicesChanged = true
gatewayChanged = true
case gvk.Telemetry:
telemetryChanged = true
case gvk.ProxyConfig:
proxyConfigsChanged = true
case gvk.ServiceNameMapping:
servicenamemappingsChanged = true
}
}
if servicesChanged {
// Services have changed. initialize service registry
if err := ps.initServiceRegistry(env); err != nil {
return err
}
} else {
// make sure we copy over things that would be generated in initServiceRegistry
ps.ServiceIndex = oldPushContext.ServiceIndex
ps.ServiceAccounts = oldPushContext.ServiceAccounts
}
if servicesChanged || gatewayAPIChanged {
// Gateway status depends on services, so recompute if they change as well
if err := ps.initKubernetesGateways(env); err != nil {
return err
}
}
if virtualServicesChanged {
if err := ps.initVirtualServices(env); err != nil {
return err
}
} else {
ps.virtualServiceIndex = oldPushContext.virtualServiceIndex
}
if destinationRulesChanged {
if err := ps.initDestinationRules(env); err != nil {
return err
}
} else {
ps.destinationRuleIndex = oldPushContext.destinationRuleIndex
}
if authnChanged {
if err := ps.initAuthnPolicies(env); err != nil {
return err
}
} else {
ps.AuthnPolicies = oldPushContext.AuthnPolicies
}
if authzChanged {
if err := ps.initAuthorizationPolicies(env); err != nil {
authzLog.Errorf("failed to initialize authorization policies: %v", err)
return err
}
} else {
ps.AuthzPolicies = oldPushContext.AuthzPolicies
}
if telemetryChanged {
if err := ps.initTelemetry(env); err != nil {
return err
}
} else {
ps.Telemetry = oldPushContext.Telemetry
}
if proxyConfigsChanged {
if err := ps.initProxyConfigs(env); err != nil {
return err
}
} else {
ps.ProxyConfigs = oldPushContext.ProxyConfigs
}
if wasmPluginsChanged {
if err := ps.initWasmPlugins(env); err != nil {
return err
}
} else {
ps.wasmPluginsByNamespace = oldPushContext.wasmPluginsByNamespace
}
if envoyFiltersChanged {
if err := ps.initEnvoyFilters(env); err != nil {
return err
}
} else {
ps.envoyFiltersByNamespace = oldPushContext.envoyFiltersByNamespace
}
if gatewayChanged {
if err := ps.initGateways(env); err != nil {
return err
}
} else {
ps.gatewayIndex = oldPushContext.gatewayIndex
}
// Must be initialized in the end
// Sidecars need to be updated if services, virtual services, destination rules, or the sidecar configs change
if servicesChanged || virtualServicesChanged || destinationRulesChanged || sidecarsChanged {
if err := ps.initSidecarScopes(env); err != nil {
return err
}
} else {
ps.sidecarIndex.sidecarsByNamespace = oldPushContext.sidecarIndex.sidecarsByNamespace
}
if servicenamemappingsChanged {
if err := ps.initServiceNameMappings(env); err != nil {
return err
}
} else {
ps.serviceNameMappingIndex = oldPushContext.serviceNameMappingIndex
}
return nil
}
// Caches list of services in the registry, and creates a map
// of hostname to service
func (ps *PushContext) initServiceRegistry(env *Environment) error {
// Sort the services in order of creation.
allServices := SortServicesByCreationTime(env.Services())
for _, s := range allServices {
svcKey := s.Key()
// Precache instances
for _, port := range s.Ports {
if _, ok := ps.ServiceIndex.instancesByPort[svcKey]; !ok {
ps.ServiceIndex.instancesByPort[svcKey] = make(map[int][]*ServiceInstance)
}
instances := make([]*ServiceInstance, 0)
instances = append(instances, env.InstancesByPort(s, port.Port, nil)...)
ps.ServiceIndex.instancesByPort[svcKey][port.Port] = instances
}
if _, f := ps.ServiceIndex.HostnameAndNamespace[s.Hostname]; !f {
ps.ServiceIndex.HostnameAndNamespace[s.Hostname] = map[string]*Service{}
}
ps.ServiceIndex.HostnameAndNamespace[s.Hostname][s.Attributes.Namespace] = s
ns := s.Attributes.Namespace
if len(s.Attributes.ExportTo) == 0 {
if ps.exportToDefaults.service[visibility.Private] {
ps.ServiceIndex.privateByNamespace[ns] = append(ps.ServiceIndex.privateByNamespace[ns], s)
} else if ps.exportToDefaults.service[visibility.Public] {
ps.ServiceIndex.public = append(ps.ServiceIndex.public, s)
}
} else {
// if service has exportTo ~ - i.e. not visible to anyone, ignore all exportTos
// if service has exportTo *, make public and ignore all other exportTos
// if service has exportTo ., replace with current namespace
if s.Attributes.ExportTo[visibility.Public] {
ps.ServiceIndex.public = append(ps.ServiceIndex.public, s)
continue
} else if s.Attributes.ExportTo[visibility.None] {
continue
} else {
// . or other namespaces
for exportTo := range s.Attributes.ExportTo {
if exportTo == visibility.Private || string(exportTo) == ns {
// exportTo with same namespace is effectively private
ps.ServiceIndex.privateByNamespace[ns] = append(ps.ServiceIndex.privateByNamespace[ns], s)
} else {
// exportTo is a specific target namespace
ps.ServiceIndex.exportedToNamespace[string(exportTo)] = append(ps.ServiceIndex.exportedToNamespace[string(exportTo)], s)
}
}
}
}
}
ps.initServiceAccounts(env, allServices)
return nil
}
// SortServicesByCreationTime sorts the list of services in ascending order by their creation time (if available).
func SortServicesByCreationTime(services []*Service) []*Service {
sort.SliceStable(services, func(i, j int) bool {
// If creation time is the same, then behavior is nondeterministic. In this case, we can
// pick an arbitrary but consistent ordering based on name and namespace, which is unique.
// CreationTimestamp is stored in seconds, so this is not uncommon.
if services[i].CreationTime.Equal(services[j].CreationTime) {
in := services[i].Attributes.Name + "." + services[i].Attributes.Namespace
jn := services[j].Attributes.Name + "." + services[j].Attributes.Namespace
return in < jn
}
return services[i].CreationTime.Before(services[j].CreationTime)
})
return services
}
// Caches list of service accounts in the registry
func (ps *PushContext) initServiceAccounts(env *Environment, services []*Service) {
for _, svc := range services {
if ps.ServiceAccounts[svc.Hostname] == nil {
ps.ServiceAccounts[svc.Hostname] = map[int][]string{}
}
for _, port := range svc.Ports {
if port.Protocol == protocol.UDP {
continue
}
ps.ServiceAccounts[svc.Hostname][port.Port] = env.GetIstioServiceAccounts(svc, []int{port.Port})
}
}
}
// Caches list of authentication policies
func (ps *PushContext) initAuthnPolicies(env *Environment) error {
// Init beta policy.
var err error
ps.AuthnPolicies, err = initAuthenticationPolicies(env)
return err
}
// Caches list of virtual services
func (ps *PushContext) initVirtualServices(env *Environment) error {
ps.virtualServiceIndex.exportedToNamespaceByGateway = map[string]map[string][]config.Config{}
ps.virtualServiceIndex.privateByNamespaceAndGateway = map[string]map[string][]config.Config{}
ps.virtualServiceIndex.publicByGateway = map[string][]config.Config{}
virtualServices, err := env.List(gvk.VirtualService, NamespaceAll)
if err != nil {
return err
}
// values returned from ConfigStore.List are immutable.
// Therefore, we make a copy
vservices := make([]config.Config, len(virtualServices))
for i := range vservices {
vservices[i] = virtualServices[i].DeepCopy()
}
totalVirtualServices.Record(float64(len(virtualServices)))
// TODO(rshriram): parse each virtual service and maintain a map of the
// virtualservice name, the list of registry hosts in the VS and non
// registry DNS names in the VS. This should cut down processing in
// the RDS code. See separateVSHostsAndServices in route/route.go
sortConfigByCreationTime(vservices)
// convert all shortnames in virtual services into FQDNs
for _, r := range vservices {
resolveVirtualServiceShortnames(r.Spec.(*networking.VirtualService), r.Meta)
}
vservices, ps.virtualServiceIndex.delegates = mergeVirtualServicesIfNeeded(vservices, ps.exportToDefaults.virtualService)
for _, virtualService := range vservices {
ns := virtualService.Namespace
rule := virtualService.Spec.(*networking.VirtualService)
gwNames := getGatewayNames(rule)
if len(rule.ExportTo) == 0 {
// No exportTo in virtualService. Use the global default
// We only honor ., *
if ps.exportToDefaults.virtualService[visibility.Private] {
if _, f := ps.virtualServiceIndex.privateByNamespaceAndGateway[ns]; !f {
ps.virtualServiceIndex.privateByNamespaceAndGateway[ns] = map[string][]config.Config{}
}
// add to local namespace only
private := ps.virtualServiceIndex.privateByNamespaceAndGateway
for _, gw := range gwNames {
private[ns][gw] = append(private[ns][gw], virtualService)
}
} else if ps.exportToDefaults.virtualService[visibility.Public] {
for _, gw := range gwNames {
ps.virtualServiceIndex.publicByGateway[gw] = append(ps.virtualServiceIndex.publicByGateway[gw], virtualService)
}
}
} else {
exportToMap := make(map[visibility.Instance]bool)
for _, e := range rule.ExportTo {
exportToMap[visibility.Instance(e)] = true
}
// if vs has exportTo ~ - i.e. not visible to anyone, ignore all exportTos
// if vs has exportTo *, make public and ignore all other exportTos
// if vs has exportTo ., replace with current namespace
if exportToMap[visibility.Public] {
for _, gw := range gwNames {
ps.virtualServiceIndex.publicByGateway[gw] = append(ps.virtualServiceIndex.publicByGateway[gw], virtualService)
}
continue
} else if exportToMap[visibility.None] {
// not possible
continue
} else {
// . or other namespaces
for exportTo := range exportToMap {
if exportTo == visibility.Private || string(exportTo) == ns {
if _, f := ps.virtualServiceIndex.privateByNamespaceAndGateway[ns]; !f {
ps.virtualServiceIndex.privateByNamespaceAndGateway[ns] = map[string][]config.Config{}
}
// add to local namespace only
for _, gw := range gwNames {
ps.virtualServiceIndex.privateByNamespaceAndGateway[ns][gw] = append(ps.virtualServiceIndex.privateByNamespaceAndGateway[ns][gw], virtualService)
}
} else {
if _, f := ps.virtualServiceIndex.exportedToNamespaceByGateway[string(exportTo)]; !f {
ps.virtualServiceIndex.exportedToNamespaceByGateway[string(exportTo)] = map[string][]config.Config{}
}
exported := ps.virtualServiceIndex.exportedToNamespaceByGateway
// add to local namespace only
for _, gw := range gwNames {
exported[string(exportTo)][gw] = append(exported[string(exportTo)][gw], virtualService)
}
}
}
}
}
}
return nil
}
var meshGateways = []string{constants.IstioMeshGateway}
func getGatewayNames(vs *networking.VirtualService) []string {
if len(vs.Gateways) == 0 {
return meshGateways
}
res := make([]string, 0, len(vs.Gateways))
res = append(res, vs.Gateways...)
return res
}
func (ps *PushContext) initDefaultExportMaps() {
ps.exportToDefaults.destinationRule = make(map[visibility.Instance]bool)
if ps.Mesh.DefaultDestinationRuleExportTo != nil {
for _, e := range ps.Mesh.DefaultDestinationRuleExportTo {
ps.exportToDefaults.destinationRule[visibility.Instance(e)] = true
}
} else {
// default to *
ps.exportToDefaults.destinationRule[visibility.Public] = true
}
ps.exportToDefaults.service = make(map[visibility.Instance]bool)
if ps.Mesh.DefaultServiceExportTo != nil {
for _, e := range ps.Mesh.DefaultServiceExportTo {
ps.exportToDefaults.service[visibility.Instance(e)] = true
}
} else {
ps.exportToDefaults.service[visibility.Public] = true
}
ps.exportToDefaults.virtualService = make(map[visibility.Instance]bool)
if ps.Mesh.DefaultVirtualServiceExportTo != nil {
for _, e := range ps.Mesh.DefaultVirtualServiceExportTo {
ps.exportToDefaults.virtualService[visibility.Instance(e)] = true
}
} else {
ps.exportToDefaults.virtualService[visibility.Public] = true
}
}
// initSidecarScopes synthesizes Sidecar CRDs into objects called
// SidecarScope. The SidecarScope object is a semi-processed view of the
// service registry, and config state associated with the sidecar CRD. The
// scope contains a set of inbound and outbound listeners, services/configs
// per listener, etc. The sidecar scopes are precomputed based on the
// Sidecar API objects in each namespace. If there is no sidecar api object
// for a namespace, a default sidecarscope is assigned to the namespace
// which enables connectivity to all services in the mesh.
//
// When proxies connect to Pilot, we identify the sidecar scope associated
// with the proxy and derive listeners/routes/clusters based on the sidecar
// scope.
func (ps *PushContext) initSidecarScopes(env *Environment) error {
sidecarConfigs, err := env.List(gvk.Sidecar, NamespaceAll)
if err != nil {
return err
}
sortConfigByCreationTime(sidecarConfigs)
sidecarConfigWithSelector := make([]config.Config, 0)
sidecarConfigWithoutSelector := make([]config.Config, 0)
sidecarsWithoutSelectorByNamespace := sets.New()
for _, sidecarConfig := range sidecarConfigs {
sidecar := sidecarConfig.Spec.(*networking.Sidecar)
if sidecar.WorkloadSelector != nil {
sidecarConfigWithSelector = append(sidecarConfigWithSelector, sidecarConfig)
} else {
sidecarsWithoutSelectorByNamespace.Insert(sidecarConfig.Namespace)
sidecarConfigWithoutSelector = append(sidecarConfigWithoutSelector, sidecarConfig)
}
}
sidecarNum := len(sidecarConfigs)
sidecarConfigs = make([]config.Config, 0, sidecarNum)
// sidecars with selector take preference
sidecarConfigs = append(sidecarConfigs, sidecarConfigWithSelector...)
sidecarConfigs = append(sidecarConfigs, sidecarConfigWithoutSelector...)
// Hold reference root namespace's sidecar config
// Root namespace can have only one sidecar config object
// Currently we expect that it has no workloadSelectors
var rootNSConfig *config.Config
ps.sidecarIndex.sidecarsByNamespace = make(map[string][]*SidecarScope, sidecarNum)
for i, sidecarConfig := range sidecarConfigs {
ps.sidecarIndex.sidecarsByNamespace[sidecarConfig.Namespace] = append(ps.sidecarIndex.sidecarsByNamespace[sidecarConfig.Namespace],
ConvertToSidecarScope(ps, &sidecarConfig, sidecarConfig.Namespace))
if rootNSConfig == nil && sidecarConfig.Namespace == ps.Mesh.RootNamespace &&
sidecarConfig.Spec.(*networking.Sidecar).WorkloadSelector == nil {
rootNSConfig = &sidecarConfigs[i]
}
}
ps.sidecarIndex.rootConfig = rootNSConfig
return nil
}
// Split out of DestinationRule expensive conversions - once per push.
func (ps *PushContext) initDestinationRules(env *Environment) error {
configs, err := env.List(gvk.DestinationRule, NamespaceAll)
if err != nil {
return err
}
// values returned from ConfigStore.List are immutable.
// Therefore, we make a copy
destRules := make([]config.Config, len(configs))
for i := range destRules {
destRules[i] = configs[i].DeepCopy()
}
ps.SetDestinationRules(destRules)
return nil
}
func newConsolidatedDestRules() *consolidatedDestRules {
return &consolidatedDestRules{
exportTo: map[host.Name]map[visibility.Instance]bool{},
destRules: map[host.Name][]*consolidatedDestRule{},
}
}
// SetDestinationRules is updates internal structures using a set of configs.
// Split out of DestinationRule expensive conversions, computed once per push.
// This also allows tests to inject a config without having the mock.
// This will not work properly for Sidecars, which will precompute their destination rules on init
func (ps *PushContext) SetDestinationRules(configs []config.Config) {
// Sort by time first. So if two destination rule have top level traffic policies
// we take the first one.
sortConfigByCreationTime(configs)
namespaceLocalDestRules := make(map[string]*consolidatedDestRules)
exportedDestRulesByNamespace := make(map[string]*consolidatedDestRules)
rootNamespaceLocalDestRules := newConsolidatedDestRules()
inheritedConfigs := make(map[string]*consolidatedDestRule)
for i := range configs {
rule := configs[i].Spec.(*networking.DestinationRule)
if features.EnableDestinationRuleInheritance && rule.Host == "" {
if t, ok := inheritedConfigs[configs[i].Namespace]; ok {
log.Warnf("Namespace/mesh-level DestinationRule is already defined for %q at time %v."+
" Ignore %q which was created at time %v",
configs[i].Namespace, t.rule.CreationTimestamp, configs[i].Name, configs[i].CreationTimestamp)
continue
}
inheritedConfigs[configs[i].Namespace] = convertConsolidatedDestRule(&configs[i])
}
rule.Host = string(ResolveShortnameToFQDN(rule.Host, configs[i].Meta))
exportToMap := make(map[visibility.Instance]bool)
// destination rules with workloadSelector should not be exported to other namespaces
if rule.GetWorkloadSelector() == nil {
for _, e := range rule.ExportTo {
exportToMap[visibility.Instance(e)] = true
}
} else {
exportToMap[visibility.Private] = true
}
// add only if the dest rule is exported with . or * or explicit exportTo containing this namespace
// The global exportTo doesn't matter here (its either . or * - both of which are applicable here)
if len(exportToMap) == 0 || exportToMap[visibility.Public] || exportToMap[visibility.Private] ||
exportToMap[visibility.Instance(configs[i].Namespace)] {
// Store in an index for the config's namespace
// a proxy from this namespace will first look here for the destination rule for a given service
// This pool consists of both public/private destination rules.
if _, exist := namespaceLocalDestRules[configs[i].Namespace]; !exist {
namespaceLocalDestRules[configs[i].Namespace] = newConsolidatedDestRules()
}
// Merge this destination rule with any public/private dest rules for same host in the same namespace
// If there are no duplicates, the dest rule will be added to the list
ps.mergeDestinationRule(namespaceLocalDestRules[configs[i].Namespace], configs[i], exportToMap)
}
isPrivateOnly := false
// No exportTo in destinationRule. Use the global default
// We only honor . and *
if len(exportToMap) == 0 && ps.exportToDefaults.destinationRule[visibility.Private] {
isPrivateOnly = true
} else if len(exportToMap) == 1 && (exportToMap[visibility.Private] || exportToMap[visibility.Instance(configs[i].Namespace)]) {
isPrivateOnly = true
}
if !isPrivateOnly {
if _, exist := exportedDestRulesByNamespace[configs[i].Namespace]; !exist {
exportedDestRulesByNamespace[configs[i].Namespace] = newConsolidatedDestRules()
}
// Merge this destination rule with any other exported dest rule for the same host in the same namespace
// If there are no duplicates, the dest rule will be added to the list
ps.mergeDestinationRule(exportedDestRulesByNamespace[configs[i].Namespace], configs[i], exportToMap)
} else if configs[i].Namespace == ps.Mesh.RootNamespace {
// Keep track of private root namespace destination rules
ps.mergeDestinationRule(rootNamespaceLocalDestRules, configs[i], exportToMap)
}
}
// precompute DestinationRules with inherited fields
if features.EnableDestinationRuleInheritance {
globalRule := inheritedConfigs[ps.Mesh.RootNamespace]
for ns := range namespaceLocalDestRules {
nsRule := inheritedConfigs[ns]
inheritedRule := ps.inheritDestinationRule(globalRule, nsRule)
for hostname, cfgList := range namespaceLocalDestRules[ns].destRules {
for i, cfg := range cfgList {
namespaceLocalDestRules[ns].destRules[hostname][i] = ps.inheritDestinationRule(inheritedRule, cfg)
}
}
// update namespace rule after it has been merged with mesh rule
inheritedConfigs[ns] = inheritedRule
}
// can't precalculate exportedDestRulesByNamespace since we don't know all the client namespaces in advance
// inheritance is performed in getExportedDestinationRuleFromNamespace
}
ps.destinationRuleIndex.namespaceLocal = namespaceLocalDestRules
ps.destinationRuleIndex.exportedByNamespace = exportedDestRulesByNamespace
ps.destinationRuleIndex.rootNamespaceLocal = rootNamespaceLocalDestRules
ps.destinationRuleIndex.inheritedByNamespace = inheritedConfigs
}
func (ps *PushContext) initAuthorizationPolicies(env *Environment) error {
var err error
if ps.AuthzPolicies, err = GetAuthorizationPolicies(env); err != nil {
authzLog.Errorf("failed to initialize authorization policies: %v", err)
return err
}
return nil
}
func (ps *PushContext) initTelemetry(env *Environment) (err error) {
if ps.Telemetry, err = getTelemetries(env); err != nil {
telemetryLog.Errorf("failed to initialize telemetry: %v", err)
return
}
return
}
func (ps *PushContext) initProxyConfigs(env *Environment) error {
var err error
if ps.ProxyConfigs, err = GetProxyConfigs(env.ConfigStore, env.Mesh()); err != nil {
pclog.Errorf("failed to initialize proxy configs: %v", err)
return err
}
return nil
}
// pre computes WasmPlugins per namespace
func (ps *PushContext) initWasmPlugins(env *Environment) error {
wasmplugins, err := env.List(gvk.WasmPlugin, NamespaceAll)
if err != nil {
return err
}
sortConfigByCreationTime(wasmplugins)
ps.wasmPluginsByNamespace = map[string][]*WasmPluginWrapper{}
for _, plugin := range wasmplugins {
if pluginWrapper := convertToWasmPluginWrapper(plugin); pluginWrapper != nil {
ps.wasmPluginsByNamespace[plugin.Namespace] = append(ps.wasmPluginsByNamespace[plugin.Namespace], pluginWrapper)
}
}
return nil
}
// WasmPlugins return the WasmPluginWrappers of a proxy
func (ps *PushContext) WasmPlugins(proxy *Proxy) map[extensions.PluginPhase][]*WasmPluginWrapper {
if proxy == nil {
return nil
}
matchedPlugins := make(map[extensions.PluginPhase][]*WasmPluginWrapper)
// First get all the extension configs from the config root namespace
// and then add the ones from proxy's own namespace
if ps.Mesh.RootNamespace != "" {
// if there is no workload selector, the config applies to all workloads
// if there is a workload selector, check for matching workload labels
for _, plugin := range ps.wasmPluginsByNamespace[ps.Mesh.RootNamespace] {
if plugin.Selector == nil || labels.Instance(plugin.Selector.MatchLabels).SubsetOf(proxy.Metadata.Labels) {
matchedPlugins[plugin.Phase] = append(matchedPlugins[plugin.Phase], plugin)
}
}
}
// To prevent duplicate extensions in case root namespace equals proxy's namespace
if proxy.ConfigNamespace != ps.Mesh.RootNamespace {
for _, plugin := range ps.wasmPluginsByNamespace[proxy.ConfigNamespace] {
if plugin.Selector == nil || labels.Instance(plugin.Selector.MatchLabels).SubsetOf(proxy.Metadata.Labels) {
matchedPlugins[plugin.Phase] = append(matchedPlugins[plugin.Phase], plugin)
}
}
}
// sort slices by priority
for i, slice := range matchedPlugins {
sort.SliceStable(slice, func(i, j int) bool {
iPriority := int64(math.MinInt64)
if prio := slice[i].Priority; prio != nil {
iPriority = prio.Value
}
jPriority := int64(math.MinInt64)
if prio := slice[j].Priority; prio != nil {
jPriority = prio.Value
}
return iPriority > jPriority
})
matchedPlugins[i] = slice
}
return matchedPlugins
}
// pre computes envoy filters per namespace
func (ps *PushContext) initEnvoyFilters(env *Environment) error {
envoyFilterConfigs, err := env.List(gvk.EnvoyFilter, NamespaceAll)
if err != nil {
return err
}
sort.Slice(envoyFilterConfigs, func(i, j int) bool {
ifilter := envoyFilterConfigs[i].Spec.(*networking.EnvoyFilter)
jfilter := envoyFilterConfigs[j].Spec.(*networking.EnvoyFilter)
if ifilter.Priority != jfilter.Priority {
return ifilter.Priority < jfilter.Priority
}
// If priority is same fallback to name and creation timestamp, else use priority.
// If creation time is the same, then behavior is nondeterministic. In this case, we can
// pick an arbitrary but consistent ordering based on name and namespace, which is unique.
// CreationTimestamp is stored in seconds, so this is not uncommon.
if envoyFilterConfigs[i].CreationTimestamp != envoyFilterConfigs[j].CreationTimestamp {
return envoyFilterConfigs[i].CreationTimestamp.Before(envoyFilterConfigs[j].CreationTimestamp)
}
in := envoyFilterConfigs[i].Name + "." + envoyFilterConfigs[i].Namespace
jn := envoyFilterConfigs[j].Name + "." + envoyFilterConfigs[j].Namespace
return in < jn
})
ps.envoyFiltersByNamespace = make(map[string][]*EnvoyFilterWrapper)
for _, envoyFilterConfig := range envoyFilterConfigs {
efw := convertToEnvoyFilterWrapper(&envoyFilterConfig)
if _, exists := ps.envoyFiltersByNamespace[envoyFilterConfig.Namespace]; !exists {
ps.envoyFiltersByNamespace[envoyFilterConfig.Namespace] = make([]*EnvoyFilterWrapper, 0)
}
ps.envoyFiltersByNamespace[envoyFilterConfig.Namespace] = append(ps.envoyFiltersByNamespace[envoyFilterConfig.Namespace], efw)
}
return nil
}
// EnvoyFilters return the merged EnvoyFilterWrapper of a proxy
func (ps *PushContext) EnvoyFilters(proxy *Proxy) *EnvoyFilterWrapper {
// this should never happen
if proxy == nil {
return nil
}
var matchedEnvoyFilters []*EnvoyFilterWrapper
// EnvoyFilters supports inheritance (global ones plus namespace local ones).
// First get all the filter configs from the config root namespace
// and then add the ones from proxy's own namespace
if ps.Mesh.RootNamespace != "" {
matchedEnvoyFilters = ps.getMatchedEnvoyFilters(proxy, ps.Mesh.RootNamespace)
}
// To prevent duplicate envoyfilters in case root namespace equals proxy's namespace
if proxy.ConfigNamespace != ps.Mesh.RootNamespace {
matched := ps.getMatchedEnvoyFilters(proxy, proxy.ConfigNamespace)
matchedEnvoyFilters = append(matchedEnvoyFilters, matched...)
}
var out *EnvoyFilterWrapper
if len(matchedEnvoyFilters) > 0 {
out = &EnvoyFilterWrapper{
// no need populate workloadSelector, as it is not used later.
Patches: make(map[networking.EnvoyFilter_ApplyTo][]*EnvoyFilterConfigPatchWrapper),
}
// merge EnvoyFilterWrapper
for _, efw := range matchedEnvoyFilters {
for applyTo, cps := range efw.Patches {
for _, cp := range cps {
if proxyMatch(proxy, cp) {
out.Patches[applyTo] = append(out.Patches[applyTo], cp)
}
}
}
}
}
return out
}
// if there is no workload selector, the config applies to all workloads
// if there is a workload selector, check for matching workload labels
func (ps *PushContext) getMatchedEnvoyFilters(proxy *Proxy, namespaces string) []*EnvoyFilterWrapper {
matchedEnvoyFilters := make([]*EnvoyFilterWrapper, 0)
for _, efw := range ps.envoyFiltersByNamespace[namespaces] {
if efw.workloadSelector == nil || efw.workloadSelector.SubsetOf(proxy.Metadata.Labels) {
matchedEnvoyFilters = append(matchedEnvoyFilters, efw)
}
}
return matchedEnvoyFilters
}
// HasEnvoyFilters checks if an EnvoyFilter exists with the given name at the given namespace.
func (ps *PushContext) HasEnvoyFilters(name, namespace string) bool {
for _, efw := range ps.envoyFiltersByNamespace[namespace] {
if efw.Name == name {
return true
}
}
return false
}
// pre computes gateways per namespace
func (ps *PushContext) initGateways(env *Environment) error {
gatewayConfigs, err := env.List(gvk.Gateway, NamespaceAll)
if err != nil {
return err
}
sortConfigByCreationTime(gatewayConfigs)
if features.ScopeGatewayToNamespace {
ps.gatewayIndex.namespace = make(map[string][]config.Config)
for _, gatewayConfig := range gatewayConfigs {
if _, exists := ps.gatewayIndex.namespace[gatewayConfig.Namespace]; !exists {
ps.gatewayIndex.namespace[gatewayConfig.Namespace] = make([]config.Config, 0)
}
ps.gatewayIndex.namespace[gatewayConfig.Namespace] = append(ps.gatewayIndex.namespace[gatewayConfig.Namespace], gatewayConfig)
}
} else {
ps.gatewayIndex.all = gatewayConfigs
}
return nil
}
func (ps *PushContext) initServiceMetadata(env *Environment) error {
metadataConfig, err := env.List(gvk.ServiceMetadata, NamespaceAll)
if err != nil {
return err
}
sortConfigByCreationTime(metadataConfig)
ps.serviceMetadataIndex.namespace = make(map[string][]*config.Config)
ps.serviceMetadataIndex.applicationNameByNamespace = make(map[string]map[string]*config.Config)
ps.serviceMetadataIndex.all = make([]*config.Config, 0)
for _, conf := range metadataConfig {
if _, ok := ps.serviceMetadataIndex.namespace[conf.Namespace]; !ok {
ps.serviceMetadataIndex.namespace[conf.Namespace] = make([]*config.Config, 0)
}
if _, ok := ps.serviceMetadataIndex.applicationNameByNamespace[conf.Namespace]; !ok {
ps.serviceMetadataIndex.applicationNameByNamespace[conf.Namespace] = make(map[string]*config.Config, 0)
}
ps.serviceMetadataIndex.namespace[conf.Namespace] = append(ps.serviceMetadataIndex.namespace[conf.Namespace], &conf)
ps.serviceMetadataIndex.applicationNameByNamespace[conf.Namespace][conf.Name] = &conf
ps.serviceMetadataIndex.all = append(ps.serviceMetadataIndex.all, &conf)
}
return nil
}
// InternalGatewayServiceAnnotation represents the hostname of the service a gateway will use. This is
// only used internally to transfer information from the Kubernetes Gateway API to the Istio Gateway API
// which does not have a field to represent this.
// The format is a comma separated list of hostnames. For example, "ingress.dubbo-system.svc.cluster.local,ingress.example.com"
// The Gateway will apply to all ServiceInstances of these services, *in the same namespace as the Gateway*.
const InternalGatewayServiceAnnotation = "internal.istio.io/gateway-service"
type gatewayWithInstances struct {
gateway config.Config
// If true, ports that are not present in any instance will be used directly (without targetPort translation)
// This supports the legacy behavior of selecting gateways by pod label selector
legacyGatewaySelector bool
instances []*ServiceInstance
}
func (ps *PushContext) mergeGateways(proxy *Proxy) *MergedGateway {
// this should never happen
if proxy == nil {
return nil
}
gatewayInstances := make([]gatewayWithInstances, 0)
var configs []config.Config
if features.ScopeGatewayToNamespace {
configs = ps.gatewayIndex.namespace[proxy.ConfigNamespace]
} else {
configs = ps.gatewayIndex.all
}
for _, cfg := range configs {
gw := cfg.Spec.(*networking.Gateway)
if gwsvcstr, f := cfg.Annotations[InternalGatewayServiceAnnotation]; f {
gwsvcs := strings.Split(gwsvcstr, ",")
known := map[host.Name]struct{}{}
for _, g := range gwsvcs {
known[host.Name(g)] = struct{}{}
}
matchingInstances := make([]*ServiceInstance, 0, len(proxy.ServiceInstances))
for _, si := range proxy.ServiceInstances {
if _, f := known[si.Service.Hostname]; f && si.Service.Attributes.Namespace == cfg.Namespace {
matchingInstances = append(matchingInstances, si)
}
}
// Only if we have a matching instance should we apply the configuration
if len(matchingInstances) > 0 {
gatewayInstances = append(gatewayInstances, gatewayWithInstances{cfg, false, matchingInstances})
}
} else if gw.GetSelector() == nil {
// no selector. Applies to all workloads asking for the gateway
gatewayInstances = append(gatewayInstances, gatewayWithInstances{cfg, true, proxy.ServiceInstances})
} else {
gatewaySelector := labels.Instance(gw.GetSelector())
if gatewaySelector.SubsetOf(proxy.Metadata.Labels) {
gatewayInstances = append(gatewayInstances, gatewayWithInstances{cfg, true, proxy.ServiceInstances})
}
}
}
if len(gatewayInstances) == 0 {
return nil
}
return MergeGateways(gatewayInstances, proxy, ps)
}
// GatewayContext contains a minimal subset of push context functionality to be exposed to GatewayAPIControllers
type GatewayContext struct {
ps *PushContext
}
func NewGatewayContext(ps *PushContext) GatewayContext {
return GatewayContext{ps}
}
// ResolveGatewayInstances attempts to resolve all instances that a gateway will be exposed on.
// Note: this function considers *all* instances of the service; its possible those instances will not actually be properly functioning
// gateways, so this is not 100% accurate, but sufficient to expose intent to users.
// The actual configuration generation is done on a per-workload basis and will get the exact set of matched instances for that workload.
// Three sets are exposed:
// * Internal addresses (ie istio-ingressgateway.dubbo-system.svc.cluster.local:80).
// * External addresses (ie 1.2.3.4), this comes from LoadBalancer services. There may be multiple in some cases (especially multi cluster).
// * Warnings for references that could not be resolved. These are intended to be user facing.
func (gc GatewayContext) ResolveGatewayInstances(namespace string, gwsvcs []string, servers []*networking.Server) (internal, external, warns []string) {
ports := map[int]struct{}{}
for _, s := range servers {
ports[int(s.Port.Number)] = struct{}{}
}
foundInternal := sets.New()
foundExternal := sets.New()
warnings := []string{}
for _, g := range gwsvcs {
svc, f := gc.ps.ServiceIndex.HostnameAndNamespace[host.Name(g)][namespace]
if !f {
otherNamespaces := []string{}
for ns := range gc.ps.ServiceIndex.HostnameAndNamespace[host.Name(g)] {
otherNamespaces = append(otherNamespaces, `"`+ns+`"`) // Wrap in quotes for output
}
if len(otherNamespaces) > 0 {
sort.Strings(otherNamespaces)
warnings = append(warnings, fmt.Sprintf("hostname %q not found in namespace %q, but it was found in namespace(s) %v",
g, namespace, strings.Join(otherNamespaces, ", ")))
} else {
warnings = append(warnings, fmt.Sprintf("hostname %q not found", g))
}
continue
}
svcKey := svc.Key()
for port := range ports {
instances := gc.ps.ServiceIndex.instancesByPort[svcKey][port]
if len(instances) > 0 {
foundInternal.Insert(fmt.Sprintf("%s:%d", g, port))
// Fetch external IPs from all clusters
svc.Attributes.ClusterExternalAddresses.ForEach(func(c cluster.ID, externalIPs []string) {
foundExternal.InsertAll(externalIPs...)
})
} else {
if instancesEmpty(gc.ps.ServiceIndex.instancesByPort[svcKey]) {
warnings = append(warnings, fmt.Sprintf("no instances found for hostname %q", g))
} else {
hintPort := sets.New()
for _, instances := range gc.ps.ServiceIndex.instancesByPort[svcKey] {
for _, i := range instances {
if i.Endpoint.EndpointPort == uint32(port) {
hintPort.Insert(strconv.Itoa(i.ServicePort.Port))
}
}
}
if len(hintPort) > 0 {
warnings = append(warnings, fmt.Sprintf(
"port %d not found for hostname %q (hint: the service port should be specified, not the workload port. Did you mean one of these ports: %v?)",
port, g, hintPort.SortedList()))
} else {
warnings = append(warnings, fmt.Sprintf("port %d not found for hostname %q", port, g))
}
}
}
}
}
sort.Strings(warnings)
return foundInternal.SortedList(), foundExternal.SortedList(), warnings
}
func instancesEmpty(m map[int][]*ServiceInstance) bool {
for _, instances := range m {
if len(instances) > 0 {
return false
}
}
return true
}
func (ps *PushContext) NetworkManager() *NetworkManager {
return ps.networkMgr
}
// BestEffortInferServiceMTLSMode infers the mTLS mode for the service + port from all authentication
// policies (both alpha and beta) in the system. The function always returns MTLSUnknown for external service.
// The result is a best effort. It is because the PeerAuthentication is workload-based, this function is unable
// to compute the correct service mTLS mode without knowing service to workload binding. For now, this
// function uses only mesh and namespace level PeerAuthentication and ignore workload & port level policies.
// This function is used to give a hint for auto-mTLS configuration on client side.
func (ps *PushContext) BestEffortInferServiceMTLSMode(tp *networking.TrafficPolicy, service *Service, port *Port) MutualTLSMode {
if service.MeshExternal {
// Only need the authentication mTLS mode when service is not external.
return MTLSUnknown
}
// For passthrough traffic (headless service or explicitly defined in DestinationRule), we look at the instances
// If ALL instances have a sidecar, we enable TLS, otherwise we disable
// TODO(https://github.com/istio/istio/issues/27376) enable mixed deployments
// A service with passthrough resolution is always passthrough, regardless of the TrafficPolicy.
if service.Resolution == Passthrough || tp.GetLoadBalancer().GetSimple() == networking.LoadBalancerSettings_PASSTHROUGH {
instances := ps.ServiceInstancesByPort(service, port.Port, nil)
if len(instances) == 0 {
return MTLSDisable
}
for _, i := range instances {
// Infer mTls disabled if any of the endpoint is with tls disabled
if i.Endpoint.TLSMode == DisabledTLSModeLabel {
return MTLSDisable
}
}
}
// 2. check mTLS settings from beta policy (i.e PeerAuthentication) at namespace / mesh level.
// If the mode is not unknown, use it.
if serviceMTLSMode := ps.AuthnPolicies.GetNamespaceMutualTLSMode(service.Attributes.Namespace); serviceMTLSMode != MTLSUnknown {
return serviceMTLSMode
}
// Fallback to permissive.
return MTLSPermissive
}
// ServiceInstancesByPort returns the cached instances by port if it exists.
func (ps *PushContext) ServiceInstancesByPort(svc *Service, port int, labels labels.Instance) []*ServiceInstance {
out := []*ServiceInstance{}
if instances, exists := ps.ServiceIndex.instancesByPort[svc.Key()][port]; exists {
// Use cached version of instances by port when labels are empty.
if len(labels) == 0 {
return instances
}
// If there are labels, we will filter instances by pod labels.
for _, instance := range instances {
// check that one of the input labels is a subset of the labels
if labels.SubsetOf(instance.Endpoint.Labels) {
out = append(out, instance)
}
}
}
return out
}
// initKubernetesGateways initializes Kubernetes gateway-api objects
func (ps *PushContext) initKubernetesGateways(env *Environment) error {
if env.GatewayAPIController != nil {
ps.GatewayAPIController = env.GatewayAPIController
return env.GatewayAPIController.Recompute(GatewayContext{ps})
}
return nil
}
// Split out of ServiceNameMapping expensive conversions - once per push.
func (ps *PushContext) initServiceNameMappings(env *Environment) error {
configs, err := env.List(gvk.ServiceNameMapping, NamespaceAll)
if err != nil {
return err
}
// values returned from ConfigStore.List are immutable.
// Therefore, we make a copy
snpMappings := make([]*config.Config, len(configs))
for i := range snpMappings {
deepCopy := configs[i].DeepCopy()
snpMappings[i] = &deepCopy
}
for _, snp := range snpMappings {
byNamespace := ps.serviceNameMappingIndex.namespace
if _, exists := byNamespace[snp.Namespace]; !exists {
byNamespace[snp.Namespace] = make([]*config.Config, 0)
}
byNamespace[snp.Namespace] = append(byNamespace[snp.Namespace], snp)
interfaceByNamespace := ps.serviceNameMappingIndex.interfaceByNamespace
if _, exists := interfaceByNamespace[snp.Namespace]; !exists {
interfaceByNamespace[snp.Namespace] = make(map[string]*config.Config, 0)
}
mapping := snp.Spec.(*extensions.ServiceNameMapping)
interfaceByNamespace[snp.Namespace][mapping.GetInterfaceName()] = snp
}
ps.serviceNameMappingIndex.all = snpMappings
return nil
}
// ReferenceAllowed determines if a given resource (of type `kind` and name `resourceName`) can be
// accessed by `namespace`, based of specific reference policies.
// Note: this function only determines if a reference is *explicitly* allowed; the reference may not require
// explicitly authorization to be made at all in most cases. Today, this only is for allowing cross-namespace
// secret access.
func (ps *PushContext) ReferenceAllowed(kind config.GroupVersionKind, resourceName string, namespace string) bool {
// Currently, only Secret has reference policy, and only implemented by Gateway API controller.
switch kind {
case gvk.Secret:
if ps.GatewayAPIController != nil {
return ps.GatewayAPIController.SecretAllowed(resourceName, namespace)
}
default:
}
return false
}