| // Copyright Istio Authors |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package controller |
| |
| import ( |
| "fmt" |
| "net" |
| "sort" |
| "sync" |
| "time" |
| ) |
| |
| import ( |
| "github.com/hashicorp/go-multierror" |
| "go.uber.org/atomic" |
| "istio.io/api/label" |
| istiolog "istio.io/pkg/log" |
| "istio.io/pkg/monitoring" |
| v1 "k8s.io/api/core/v1" |
| "k8s.io/apimachinery/pkg/api/meta" |
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| "k8s.io/apimachinery/pkg/types" |
| listerv1 "k8s.io/client-go/listers/core/v1" |
| "k8s.io/client-go/tools/cache" |
| ) |
| |
| import ( |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/features" |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/model" |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/serviceregistry" |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/serviceregistry/aggregate" |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/serviceregistry/kube" |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/serviceregistry/kube/controller/filter" |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/serviceregistry/provider" |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/serviceregistry/util/workloadinstances" |
| "github.com/apache/dubbo-go-pixiu/pilot/pkg/util/informermetric" |
| "github.com/apache/dubbo-go-pixiu/pkg/cluster" |
| "github.com/apache/dubbo-go-pixiu/pkg/config/host" |
| "github.com/apache/dubbo-go-pixiu/pkg/config/labels" |
| "github.com/apache/dubbo-go-pixiu/pkg/config/mesh" |
| "github.com/apache/dubbo-go-pixiu/pkg/config/protocol" |
| kubelib "github.com/apache/dubbo-go-pixiu/pkg/kube" |
| "github.com/apache/dubbo-go-pixiu/pkg/network" |
| "github.com/apache/dubbo-go-pixiu/pkg/queue" |
| ) |
| |
| const ( |
| // NodeRegionLabel is the well-known label for kubernetes node region in beta |
| NodeRegionLabel = v1.LabelFailureDomainBetaRegion |
| // NodeZoneLabel is the well-known label for kubernetes node zone in beta |
| NodeZoneLabel = v1.LabelFailureDomainBetaZone |
| // NodeRegionLabelGA is the well-known label for kubernetes node region in ga |
| NodeRegionLabelGA = v1.LabelTopologyRegion |
| // NodeZoneLabelGA is the well-known label for kubernetes node zone in ga |
| NodeZoneLabelGA = v1.LabelTopologyZone |
| |
| // DefaultNetworkGatewayPort is the port used by default for cross-network traffic if not otherwise specified |
| // by meshNetworks or "networking.istio.io/gatewayPort" |
| DefaultNetworkGatewayPort = 15443 |
| ) |
| |
| var log = istiolog.RegisterScope("kube", "kubernetes service registry controller", 0) |
| |
| var ( |
| typeTag = monitoring.MustCreateLabel("type") |
| eventTag = monitoring.MustCreateLabel("event") |
| |
| k8sEvents = monitoring.NewSum( |
| "pilot_k8s_reg_events", |
| "Events from k8s registry.", |
| monitoring.WithLabels(typeTag, eventTag), |
| ) |
| |
| // nolint: gocritic |
| // This is deprecated in favor of `pilot_k8s_endpoints_pending_pod`, which is a gauge indicating the number of |
| // currently missing pods. This helps distinguish transient errors from permanent ones |
| endpointsWithNoPods = monitoring.NewSum( |
| "pilot_k8s_endpoints_with_no_pods", |
| "Endpoints that does not have any corresponding pods.") |
| |
| endpointsPendingPodUpdate = monitoring.NewGauge( |
| "pilot_k8s_endpoints_pending_pod", |
| "Number of endpoints that do not currently have any corresponding pods.", |
| ) |
| ) |
| |
| func init() { |
| monitoring.MustRegister(k8sEvents) |
| monitoring.MustRegister(endpointsWithNoPods) |
| monitoring.MustRegister(endpointsPendingPodUpdate) |
| } |
| |
| func incrementEvent(kind, event string) { |
| k8sEvents.With(typeTag.Value(kind), eventTag.Value(event)).Increment() |
| } |
| |
| // Options stores the configurable attributes of a Controller. |
| type Options struct { |
| SystemNamespace string |
| |
| // MeshServiceController is a mesh-wide service Controller. |
| MeshServiceController *aggregate.Controller |
| |
| DomainSuffix string |
| |
| // ClusterID identifies the remote cluster in a multicluster env. |
| ClusterID cluster.ID |
| |
| // ClusterAliases are aliase names for cluster. When a proxy connects with a cluster ID |
| // and if it has a different alias we should use that a cluster ID for proxy. |
| ClusterAliases map[string]string |
| |
| // Metrics for capturing node-based metrics. |
| Metrics model.Metrics |
| |
| // XDSUpdater will push changes to the xDS server. |
| XDSUpdater model.XDSUpdater |
| |
| // NetworksWatcher observes changes to the mesh networks config. |
| NetworksWatcher mesh.NetworksWatcher |
| |
| // MeshWatcher observes changes to the mesh config |
| MeshWatcher mesh.Watcher |
| |
| // EndpointMode decides what source to use to get endpoint information |
| EndpointMode EndpointMode |
| |
| // Maximum QPS when communicating with kubernetes API |
| KubernetesAPIQPS float32 |
| |
| // Maximum burst for throttle when communicating with the kubernetes API |
| KubernetesAPIBurst int |
| |
| // SyncTimeout, if set, causes HasSynced to be returned when marked true. |
| SyncTimeout *atomic.Bool |
| |
| // If meshConfig.DiscoverySelectors are specified, the DiscoveryNamespacesFilter tracks the namespaces this controller watches. |
| DiscoveryNamespacesFilter filter.DiscoveryNamespacesFilter |
| } |
| |
| // DetectEndpointMode determines whether to use Endpoints or EndpointSlice based on the |
| // feature flag and/or Kubernetes version |
| func DetectEndpointMode(kubeClient kubelib.Client) EndpointMode { |
| useEndpointslice, ok := features.EnableEndpointSliceController() |
| |
| // we have a client, and flag wasn't set explicitly, auto-detect |
| if kubeClient != nil && !ok && kubelib.IsAtLeastVersion(kubeClient, 21) { |
| useEndpointslice = true |
| } |
| |
| if useEndpointslice { |
| return EndpointSliceOnly |
| } |
| return EndpointsOnly |
| } |
| |
| // EndpointMode decides what source to use to get endpoint information |
| type EndpointMode int |
| |
| const ( |
| // EndpointsOnly type will use only Kubernetes Endpoints |
| EndpointsOnly EndpointMode = iota |
| |
| // EndpointSliceOnly type will use only Kubernetes EndpointSlices |
| EndpointSliceOnly |
| |
| // TODO: add other modes. Likely want a mode with Endpoints+EndpointSlices that are not controlled by |
| // Kubernetes Controller (e.g. made by user and not duplicated with Endpoints), or a mode with both that |
| // does deduping. Simply doing both won't work for now, since not all Kubernetes components support EndpointSlice. |
| ) |
| |
| var EndpointModes = []EndpointMode{EndpointsOnly, EndpointSliceOnly} |
| |
| var EndpointModeNames = map[EndpointMode]string{ |
| EndpointsOnly: "EndpointsOnly", |
| EndpointSliceOnly: "EndpointSliceOnly", |
| } |
| |
| func (m EndpointMode) String() string { |
| return EndpointModeNames[m] |
| } |
| |
| // kubernetesNode represents a kubernetes node that is reachable externally |
| type kubernetesNode struct { |
| address string |
| labels labels.Instance |
| } |
| |
| // controllerInterface is a simplified interface for the Controller used for testing. |
| type controllerInterface interface { |
| getPodLocality(pod *v1.Pod) string |
| Network(endpointIP string, labels labels.Instance) network.ID |
| Cluster() cluster.ID |
| } |
| |
| var ( |
| _ controllerInterface = &Controller{} |
| _ serviceregistry.Instance = &Controller{} |
| ) |
| |
| // Controller is a collection of synchronized resource watchers |
| // Caches are thread-safe |
| type Controller struct { |
| opts Options |
| |
| client kubelib.Client |
| |
| queue queue.Instance |
| |
| nsInformer cache.SharedIndexInformer |
| nsLister listerv1.NamespaceLister |
| |
| serviceInformer filter.FilteredSharedIndexInformer |
| serviceLister listerv1.ServiceLister |
| |
| endpoints kubeEndpointsController |
| |
| // Used to watch node accessible from remote cluster. |
| // In multi-cluster(shared control plane multi-networks) scenario, ingress gateway service can be of nodePort type. |
| // With this, we can populate mesh's gateway address with the node ips. |
| nodeInformer cache.SharedIndexInformer |
| nodeLister listerv1.NodeLister |
| |
| exports serviceExportCache |
| imports serviceImportCache |
| pods *PodCache |
| |
| handlers model.ControllerHandlers |
| |
| // This is only used for test |
| stop chan struct{} |
| |
| sync.RWMutex |
| // servicesMap stores hostname ==> service, it is used to reduce convertService calls. |
| servicesMap map[host.Name]*model.Service |
| // hostNamesForNamespacedName returns all possible hostnames for the given service name. |
| // If Kubernetes Multi-Cluster Services (MCS) is enabled, this will contain the regular |
| // hostname as well as the MCS hostname (clusterset.local). Otherwise, only the regular |
| // hostname will be returned. |
| hostNamesForNamespacedName func(name types.NamespacedName) []host.Name |
| // servicesForNamespacedName returns all services for the given service name. |
| // If Kubernetes Multi-Cluster Services (MCS) is enabled, this will contain the regular |
| // service as well as the MCS service (clusterset.local), if available. Otherwise, |
| // only the regular service will be returned. |
| servicesForNamespacedName func(name types.NamespacedName) []*model.Service |
| // nodeSelectorsForServices stores hostname => label selectors that can be used to |
| // refine the set of node port IPs for a service. |
| nodeSelectorsForServices map[host.Name]labels.Instance |
| // map of node name and its address+labels - this is the only thing we need from nodes |
| // for vm to k8s or cross cluster. When node port services select specific nodes by labels, |
| // we run through the label selectors here to pick only ones that we need. |
| // Only nodes with ExternalIP addresses are included in this map ! |
| nodeInfoMap map[string]kubernetesNode |
| // externalNameSvcInstanceMap stores hostname ==> instance, is used to store instances for ExternalName k8s services |
| externalNameSvcInstanceMap map[host.Name][]*model.ServiceInstance |
| // index over workload instances from workload entries |
| workloadInstancesIndex workloadinstances.Index |
| |
| multinetwork |
| // informerInit is set to true once the controller is running successfully. This ensures we do not |
| // return HasSynced=true before we are running |
| informerInit *atomic.Bool |
| // beginSync is set to true when calling SyncAll, it indicates the controller has began sync resources. |
| beginSync *atomic.Bool |
| // initialSync is set to true after performing an initial in-order processing of all objects. |
| initialSync *atomic.Bool |
| } |
| |
| // NewController creates a new Kubernetes controller |
| // Created by bootstrap and multicluster (see multicluster.Controller). |
| func NewController(kubeClient kubelib.Client, options Options) *Controller { |
| c := &Controller{ |
| opts: options, |
| client: kubeClient, |
| queue: queue.NewQueueWithID(1*time.Second, string(options.ClusterID)), |
| servicesMap: make(map[host.Name]*model.Service), |
| nodeSelectorsForServices: make(map[host.Name]labels.Instance), |
| nodeInfoMap: make(map[string]kubernetesNode), |
| externalNameSvcInstanceMap: make(map[host.Name][]*model.ServiceInstance), |
| workloadInstancesIndex: workloadinstances.NewIndex(), |
| informerInit: atomic.NewBool(false), |
| beginSync: atomic.NewBool(false), |
| initialSync: atomic.NewBool(false), |
| |
| multinetwork: initMultinetwork(), |
| } |
| |
| if features.EnableMCSHost { |
| c.hostNamesForNamespacedName = func(name types.NamespacedName) []host.Name { |
| return []host.Name{ |
| kube.ServiceHostname(name.Name, name.Namespace, c.opts.DomainSuffix), |
| serviceClusterSetLocalHostname(name), |
| } |
| } |
| c.servicesForNamespacedName = func(name types.NamespacedName) []*model.Service { |
| out := make([]*model.Service, 0, 2) |
| |
| c.RLock() |
| if svc := c.servicesMap[kube.ServiceHostname(name.Name, name.Namespace, c.opts.DomainSuffix)]; svc != nil { |
| out = append(out, svc) |
| } |
| |
| if svc := c.servicesMap[serviceClusterSetLocalHostname(name)]; svc != nil { |
| out = append(out, svc) |
| } |
| c.RUnlock() |
| |
| return out |
| } |
| } else { |
| c.hostNamesForNamespacedName = func(name types.NamespacedName) []host.Name { |
| return []host.Name{ |
| kube.ServiceHostname(name.Name, name.Namespace, c.opts.DomainSuffix), |
| } |
| } |
| c.servicesForNamespacedName = func(name types.NamespacedName) []*model.Service { |
| if svc := c.GetService(kube.ServiceHostname(name.Name, name.Namespace, c.opts.DomainSuffix)); svc != nil { |
| return []*model.Service{svc} |
| } |
| return nil |
| } |
| } |
| |
| c.nsInformer = kubeClient.KubeInformer().Core().V1().Namespaces().Informer() |
| c.nsLister = kubeClient.KubeInformer().Core().V1().Namespaces().Lister() |
| if c.opts.SystemNamespace != "" { |
| nsInformer := filter.NewFilteredSharedIndexInformer(func(obj interface{}) bool { |
| ns, ok := obj.(*v1.Namespace) |
| if !ok { |
| log.Warnf("Namespace watch getting wrong type in event: %T", obj) |
| return false |
| } |
| return ns.Name == c.opts.SystemNamespace |
| }, c.nsInformer) |
| c.registerHandlers(nsInformer, "Namespaces", c.onSystemNamespaceEvent, nil) |
| } |
| |
| if c.opts.DiscoveryNamespacesFilter == nil { |
| c.opts.DiscoveryNamespacesFilter = filter.NewDiscoveryNamespacesFilter(c.nsLister, options.MeshWatcher.Mesh().DiscoverySelectors) |
| } |
| |
| c.initDiscoveryHandlers(kubeClient, options.EndpointMode, options.MeshWatcher, c.opts.DiscoveryNamespacesFilter) |
| |
| c.serviceInformer = filter.NewFilteredSharedIndexInformer(c.opts.DiscoveryNamespacesFilter.Filter, kubeClient.KubeInformer().Core().V1().Services().Informer()) |
| c.serviceLister = listerv1.NewServiceLister(c.serviceInformer.GetIndexer()) |
| |
| c.registerHandlers(c.serviceInformer, "Services", c.onServiceEvent, nil) |
| |
| switch options.EndpointMode { |
| case EndpointsOnly: |
| c.endpoints = newEndpointsController(c) |
| case EndpointSliceOnly: |
| c.endpoints = newEndpointSliceController(c) |
| } |
| |
| // This is for getting the node IPs of a selected set of nodes |
| c.nodeInformer = kubeClient.KubeInformer().Core().V1().Nodes().Informer() |
| c.nodeLister = kubeClient.KubeInformer().Core().V1().Nodes().Lister() |
| c.registerHandlers(c.nodeInformer, "Nodes", c.onNodeEvent, nil) |
| |
| podInformer := filter.NewFilteredSharedIndexInformer(c.opts.DiscoveryNamespacesFilter.Filter, kubeClient.KubeInformer().Core().V1().Pods().Informer()) |
| c.pods = newPodCache(c, podInformer, func(key string) { |
| item, exists, err := c.endpoints.getInformer().GetIndexer().GetByKey(key) |
| if err != nil { |
| log.Debugf("Endpoint %v lookup failed with error %v, skipping stale endpoint", key, err) |
| return |
| } |
| if !exists { |
| log.Debugf("Endpoint %v not found, skipping stale endpoint", key) |
| return |
| } |
| if shouldEnqueue("Pods", c.beginSync) { |
| c.queue.Push(func() error { |
| return c.endpoints.onEvent(item, model.EventUpdate) |
| }) |
| } |
| }) |
| c.registerHandlers(c.pods.informer, "Pods", c.pods.onEvent, nil) |
| |
| c.exports = newServiceExportCache(c) |
| c.imports = newServiceImportCache(c) |
| |
| return c |
| } |
| |
| func (c *Controller) Provider() provider.ID { |
| return provider.Kubernetes |
| } |
| |
| func (c *Controller) Cluster() cluster.ID { |
| return c.opts.ClusterID |
| } |
| |
| func (c *Controller) MCSServices() []model.MCSServiceInfo { |
| outMap := make(map[types.NamespacedName]*model.MCSServiceInfo) |
| |
| // Add the ServiceExport info. |
| for _, se := range c.exports.ExportedServices() { |
| mcsService := outMap[se.namespacedName] |
| if mcsService == nil { |
| mcsService = &model.MCSServiceInfo{} |
| outMap[se.namespacedName] = mcsService |
| } |
| mcsService.Cluster = c.Cluster() |
| mcsService.Name = se.namespacedName.Name |
| mcsService.Namespace = se.namespacedName.Namespace |
| mcsService.Exported = true |
| mcsService.Discoverability = se.discoverability |
| } |
| |
| // Add the ServiceImport info. |
| for _, si := range c.imports.ImportedServices() { |
| mcsService := outMap[si.namespacedName] |
| if mcsService == nil { |
| mcsService = &model.MCSServiceInfo{} |
| outMap[si.namespacedName] = mcsService |
| } |
| mcsService.Cluster = c.Cluster() |
| mcsService.Name = si.namespacedName.Name |
| mcsService.Namespace = si.namespacedName.Namespace |
| mcsService.Imported = true |
| mcsService.ClusterSetVIP = si.clusterSetVIP |
| } |
| |
| out := make([]model.MCSServiceInfo, 0, len(outMap)) |
| for _, v := range outMap { |
| out = append(out, *v) |
| } |
| |
| return out |
| } |
| |
| func (c *Controller) networkFromMeshNetworks(endpointIP string) network.ID { |
| c.RLock() |
| defer c.RUnlock() |
| if c.networkForRegistry != "" { |
| return c.networkForRegistry |
| } |
| |
| if c.ranger != nil { |
| entries, err := c.ranger.ContainingNetworks(net.ParseIP(endpointIP)) |
| if err != nil { |
| log.Error(err) |
| return "" |
| } |
| if len(entries) > 1 { |
| log.Warnf("Found multiple networks CIDRs matching the endpoint IP: %s. Using the first match.", endpointIP) |
| } |
| if len(entries) > 0 { |
| return (entries[0].(namedRangerEntry)).name |
| } |
| } |
| return "" |
| } |
| |
| func (c *Controller) networkFromSystemNamespace() network.ID { |
| c.RLock() |
| defer c.RUnlock() |
| return c.network |
| } |
| |
| func (c *Controller) Network(endpointIP string, labels labels.Instance) network.ID { |
| // 1. check the pod/workloadEntry label |
| if nw := labels[label.TopologyNetwork.Name]; nw != "" { |
| return network.ID(nw) |
| } |
| |
| // 2. check the system namespace labels |
| if nw := c.networkFromSystemNamespace(); nw != "" { |
| return nw |
| } |
| |
| // 3. check the meshNetworks config |
| if nw := c.networkFromMeshNetworks(endpointIP); nw != "" { |
| return nw |
| } |
| |
| return "" |
| } |
| |
| func (c *Controller) Cleanup() error { |
| if err := queue.WaitForClose(c.queue, 30*time.Second); err != nil { |
| log.Warnf("queue for removed kube registry %q may not be done processing: %v", c.Cluster(), err) |
| } |
| if c.opts.XDSUpdater != nil { |
| c.opts.XDSUpdater.RemoveShard(model.ShardKeyFromRegistry(c)) |
| } |
| return nil |
| } |
| |
| func (c *Controller) onServiceEvent(curr interface{}, event model.Event) error { |
| svc, err := convertToService(curr) |
| if err != nil { |
| log.Errorf(err) |
| return nil |
| } |
| |
| log.Debugf("Handle event %s for service %s in namespace %s", event, svc.Name, svc.Namespace) |
| |
| // Create the standard (cluster.local) service. |
| svcConv := kube.ConvertService(*svc, c.opts.DomainSuffix, c.Cluster()) |
| switch event { |
| case model.EventDelete: |
| c.deleteService(svcConv) |
| default: |
| c.addOrUpdateService(svc, svcConv, event, false) |
| } |
| |
| return nil |
| } |
| |
| func (c *Controller) deleteService(svc *model.Service) { |
| c.Lock() |
| delete(c.servicesMap, svc.Hostname) |
| delete(c.nodeSelectorsForServices, svc.Hostname) |
| delete(c.externalNameSvcInstanceMap, svc.Hostname) |
| _, isNetworkGateway := c.networkGatewaysBySvc[svc.Hostname] |
| delete(c.networkGatewaysBySvc, svc.Hostname) |
| c.Unlock() |
| |
| if isNetworkGateway { |
| c.NotifyGatewayHandlers() |
| // TODO trigger push via handler |
| // networks are different, we need to update all eds endpoints |
| c.opts.XDSUpdater.ConfigUpdate(&model.PushRequest{Full: true, Reason: []model.TriggerReason{model.NetworksTrigger}}) |
| } |
| |
| shard := model.ShardKeyFromRegistry(c) |
| event := model.EventDelete |
| c.opts.XDSUpdater.SvcUpdate(shard, string(svc.Hostname), svc.Attributes.Namespace, event) |
| |
| c.handlers.NotifyServiceHandlers(svc, event) |
| } |
| |
| func (c *Controller) addOrUpdateService(svc *v1.Service, svcConv *model.Service, event model.Event, updateEDSCache bool) { |
| needsFullPush := false |
| // First, process nodePort gateway service, whose externalIPs specified |
| // and loadbalancer gateway service |
| if !svcConv.Attributes.ClusterExternalAddresses.IsEmpty() { |
| needsFullPush = c.extractGatewaysFromService(svcConv) |
| } else if isNodePortGatewayService(svc) { |
| // We need to know which services are using node selectors because during node events, |
| // we have to update all the node port services accordingly. |
| nodeSelector := getNodeSelectorsForService(svc) |
| c.Lock() |
| // only add when it is nodePort gateway service |
| c.nodeSelectorsForServices[svcConv.Hostname] = nodeSelector |
| c.Unlock() |
| needsFullPush = c.updateServiceNodePortAddresses(svcConv) |
| } |
| |
| // instance conversion is only required when service is added/updated. |
| instances := kube.ExternalNameServiceInstances(svc, svcConv) |
| c.Lock() |
| c.servicesMap[svcConv.Hostname] = svcConv |
| if len(instances) > 0 { |
| c.externalNameSvcInstanceMap[svcConv.Hostname] = instances |
| } |
| c.Unlock() |
| |
| if needsFullPush { |
| // networks are different, we need to update all eds endpoints |
| c.opts.XDSUpdater.ConfigUpdate(&model.PushRequest{Full: true, Reason: []model.TriggerReason{model.NetworksTrigger}}) |
| } |
| |
| shard := model.ShardKeyFromRegistry(c) |
| ns := svcConv.Attributes.Namespace |
| // We also need to update when the Service changes. For Kubernetes, a service change will result in Endpoint updates, |
| // but workload entries will also need to be updated. |
| // TODO(nmittler): Build different sets of endpoints for cluster.local and clusterset.local. |
| endpoints := c.buildEndpointsForService(svcConv, updateEDSCache) |
| if len(endpoints) > 0 { |
| c.opts.XDSUpdater.EDSCacheUpdate(shard, string(svcConv.Hostname), ns, endpoints) |
| } |
| |
| c.opts.XDSUpdater.SvcUpdate(shard, string(svcConv.Hostname), ns, event) |
| |
| c.handlers.NotifyServiceHandlers(svcConv, event) |
| } |
| |
| func (c *Controller) buildEndpointsForService(svc *model.Service, updateCache bool) []*model.IstioEndpoint { |
| endpoints := c.endpoints.buildIstioEndpointsWithService(svc.Attributes.Name, svc.Attributes.Namespace, svc.Hostname, updateCache) |
| fep := c.collectWorkloadInstanceEndpoints(svc) |
| endpoints = append(endpoints, fep...) |
| return endpoints |
| } |
| |
| func (c *Controller) onNodeEvent(obj interface{}, event model.Event) error { |
| node, ok := obj.(*v1.Node) |
| if !ok { |
| tombstone, ok := obj.(cache.DeletedFinalStateUnknown) |
| if !ok { |
| log.Errorf("couldn't get object from tombstone %+v", obj) |
| return nil |
| } |
| node, ok = tombstone.Obj.(*v1.Node) |
| if !ok { |
| log.Errorf("tombstone contained object that is not a node %#v", obj) |
| return nil |
| } |
| } |
| var updatedNeeded bool |
| if event == model.EventDelete { |
| updatedNeeded = true |
| c.Lock() |
| delete(c.nodeInfoMap, node.Name) |
| c.Unlock() |
| } else { |
| k8sNode := kubernetesNode{labels: node.Labels} |
| for _, address := range node.Status.Addresses { |
| if address.Type == v1.NodeExternalIP && address.Address != "" { |
| k8sNode.address = address.Address |
| break |
| } |
| } |
| if k8sNode.address == "" { |
| return nil |
| } |
| |
| c.Lock() |
| // check if the node exists as this add event could be due to controller resync |
| // if the stored object changes, then fire an update event. Otherwise, ignore this event. |
| currentNode, exists := c.nodeInfoMap[node.Name] |
| if !exists || !nodeEquals(currentNode, k8sNode) { |
| c.nodeInfoMap[node.Name] = k8sNode |
| updatedNeeded = true |
| } |
| c.Unlock() |
| } |
| |
| // update all related services |
| if updatedNeeded && c.updateServiceNodePortAddresses() { |
| c.opts.XDSUpdater.ConfigUpdate(&model.PushRequest{ |
| Full: true, |
| Reason: []model.TriggerReason{model.ServiceUpdate}, |
| }) |
| } |
| return nil |
| } |
| |
| // FilterOutFunc func for filtering out objects during update callback |
| type FilterOutFunc func(old, cur interface{}) bool |
| |
| func (c *Controller) registerHandlers( |
| informer filter.FilteredSharedIndexInformer, otype string, |
| handler func(interface{}, model.Event) error, filter FilterOutFunc, |
| ) { |
| wrappedHandler := func(obj interface{}, event model.Event) error { |
| obj = tryGetLatestObject(informer, obj) |
| return handler(obj, event) |
| } |
| if informer, ok := informer.(cache.SharedInformer); ok { |
| _ = informer.SetWatchErrorHandler(informermetric.ErrorHandlerForCluster(c.Cluster())) |
| } |
| informer.AddEventHandler( |
| cache.ResourceEventHandlerFuncs{ |
| AddFunc: func(obj interface{}) { |
| incrementEvent(otype, "add") |
| if !shouldEnqueue(otype, c.beginSync) { |
| return |
| } |
| c.queue.Push(func() error { |
| return wrappedHandler(obj, model.EventAdd) |
| }) |
| }, |
| UpdateFunc: func(old, cur interface{}) { |
| if filter != nil { |
| if filter(old, cur) { |
| incrementEvent(otype, "updatesame") |
| return |
| } |
| } |
| |
| incrementEvent(otype, "update") |
| if !shouldEnqueue(otype, c.beginSync) { |
| return |
| } |
| c.queue.Push(func() error { |
| return wrappedHandler(cur, model.EventUpdate) |
| }) |
| }, |
| DeleteFunc: func(obj interface{}) { |
| incrementEvent(otype, "delete") |
| if !shouldEnqueue(otype, c.beginSync) { |
| return |
| } |
| c.queue.Push(func() error { |
| return handler(obj, model.EventDelete) |
| }) |
| }, |
| }) |
| } |
| |
| // tryGetLatestObject attempts to fetch the latest version of the object from the cache. |
| // Changes may have occurred between queuing and processing. |
| func tryGetLatestObject(informer filter.FilteredSharedIndexInformer, obj interface{}) interface{} { |
| key, err := cache.MetaNamespaceKeyFunc(obj) |
| if err != nil { |
| log.Warnf("failed creating key for informer object: %v", err) |
| return obj |
| } |
| |
| latest, exists, err := informer.GetIndexer().GetByKey(key) |
| if !exists || err != nil { |
| log.Warnf("couldn't find %q in informer index", key) |
| return obj |
| } |
| |
| return latest |
| } |
| |
| // HasSynced returns true after the initial state synchronization |
| func (c *Controller) HasSynced() bool { |
| return (c.opts.SyncTimeout != nil && c.opts.SyncTimeout.Load()) || c.initialSync.Load() |
| } |
| |
| func (c *Controller) informersSynced() bool { |
| if !c.informerInit.Load() { |
| // registration/Run of informers hasn't occurred yet |
| return false |
| } |
| if (c.nsInformer != nil && !c.nsInformer.HasSynced()) || |
| !c.serviceInformer.HasSynced() || |
| !c.endpoints.HasSynced() || |
| !c.pods.informer.HasSynced() || |
| !c.nodeInformer.HasSynced() || |
| !c.exports.HasSynced() || |
| !c.imports.HasSynced() { |
| return false |
| } |
| return true |
| } |
| |
| // SyncAll syncs all the objects node->service->pod->endpoint in order |
| // TODO: sync same kind of objects in parallel |
| // This can cause great performance cost in multi clusters scenario. |
| // Maybe just sync the cache and trigger one push at last. |
| func (c *Controller) SyncAll() error { |
| c.beginSync.Store(true) |
| var err *multierror.Error |
| err = multierror.Append(err, c.syncDiscoveryNamespaces()) |
| err = multierror.Append(err, c.syncSystemNamespace()) |
| err = multierror.Append(err, c.syncNodes()) |
| err = multierror.Append(err, c.syncServices()) |
| err = multierror.Append(err, c.syncPods()) |
| err = multierror.Append(err, c.syncEndpoints()) |
| |
| return multierror.Flatten(err.ErrorOrNil()) |
| } |
| |
| func (c *Controller) syncSystemNamespace() error { |
| var err error |
| if c.nsLister != nil { |
| sysNs, _ := c.nsLister.Get(c.opts.SystemNamespace) |
| log.Debugf("initializing systemNamespace:%s", c.opts.SystemNamespace) |
| if sysNs != nil { |
| err = c.onSystemNamespaceEvent(sysNs, model.EventAdd) |
| } |
| } |
| return err |
| } |
| |
| func (c *Controller) syncDiscoveryNamespaces() error { |
| var err error |
| if c.nsLister != nil { |
| err = c.opts.DiscoveryNamespacesFilter.SyncNamespaces() |
| } |
| return err |
| } |
| |
| func (c *Controller) syncNodes() error { |
| var err *multierror.Error |
| nodes := c.nodeInformer.GetIndexer().List() |
| log.Debugf("initializing %d nodes", len(nodes)) |
| for _, s := range nodes { |
| err = multierror.Append(err, c.onNodeEvent(s, model.EventAdd)) |
| } |
| return err.ErrorOrNil() |
| } |
| |
| func (c *Controller) syncServices() error { |
| var err *multierror.Error |
| services := c.serviceInformer.GetIndexer().List() |
| log.Debugf("initializing %d services", len(services)) |
| for _, s := range services { |
| err = multierror.Append(err, c.onServiceEvent(s, model.EventAdd)) |
| } |
| return err.ErrorOrNil() |
| } |
| |
| func (c *Controller) syncPods() error { |
| var err *multierror.Error |
| pods := c.pods.informer.GetIndexer().List() |
| log.Debugf("initializing %d pods", len(pods)) |
| for _, s := range pods { |
| err = multierror.Append(err, c.pods.onEvent(s, model.EventAdd)) |
| } |
| return err.ErrorOrNil() |
| } |
| |
| func (c *Controller) syncEndpoints() error { |
| var err *multierror.Error |
| endpoints := c.endpoints.getInformer().GetIndexer().List() |
| log.Debugf("initializing %d endpoints", len(endpoints)) |
| for _, s := range endpoints { |
| err = multierror.Append(err, c.endpoints.onEvent(s, model.EventAdd)) |
| } |
| return err.ErrorOrNil() |
| } |
| |
| // Run all controllers until a signal is received |
| func (c *Controller) Run(stop <-chan struct{}) { |
| st := time.Now() |
| if c.opts.NetworksWatcher != nil { |
| c.opts.NetworksWatcher.AddNetworksHandler(c.reloadNetworkLookup) |
| c.reloadMeshNetworks() |
| c.reloadNetworkGateways() |
| } |
| c.informerInit.Store(true) |
| |
| cache.WaitForCacheSync(stop, c.informersSynced) |
| // after informer caches sync the first time, process resources in order |
| if err := c.SyncAll(); err != nil { |
| log.Errorf("one or more errors force-syncing resources: %v", err) |
| } |
| c.initialSync.Store(true) |
| log.Infof("kube controller for %s synced after %v", c.opts.ClusterID, time.Since(st)) |
| // after the in-order sync we can start processing the queue |
| c.queue.Run(stop) |
| log.Infof("Controller terminated") |
| } |
| |
| // Stop the controller. Only for tests, to simplify the code (defer c.Stop()) |
| func (c *Controller) Stop() { |
| if c.stop != nil { |
| close(c.stop) |
| } |
| } |
| |
| // Services implements a service catalog operation |
| func (c *Controller) Services() []*model.Service { |
| c.RLock() |
| out := make([]*model.Service, 0, len(c.servicesMap)) |
| for _, svc := range c.servicesMap { |
| out = append(out, svc) |
| } |
| c.RUnlock() |
| sort.Slice(out, func(i, j int) bool { return out[i].Hostname < out[j].Hostname }) |
| return out |
| } |
| |
| // GetService implements a service catalog operation by hostname specified. |
| func (c *Controller) GetService(hostname host.Name) *model.Service { |
| c.RLock() |
| svc := c.servicesMap[hostname] |
| c.RUnlock() |
| return svc |
| } |
| |
| // getPodLocality retrieves the locality for a pod. |
| func (c *Controller) getPodLocality(pod *v1.Pod) string { |
| // if pod has `istio-locality` label, skip below ops |
| if len(pod.Labels[model.LocalityLabel]) > 0 { |
| return model.GetLocalityLabelOrDefault(pod.Labels[model.LocalityLabel], "") |
| } |
| |
| // NodeName is set by the scheduler after the pod is created |
| // https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#late-initialization |
| raw, err := c.nodeLister.Get(pod.Spec.NodeName) |
| if err != nil { |
| if pod.Spec.NodeName != "" { |
| log.Warnf("unable to get node %q for pod %q/%q: %v", pod.Spec.NodeName, pod.Namespace, pod.Name, err) |
| } |
| return "" |
| } |
| |
| nodeMeta, err := meta.Accessor(raw) |
| if err != nil { |
| log.Warnf("unable to get node meta: %v", nodeMeta) |
| return "" |
| } |
| |
| region := getLabelValue(nodeMeta, NodeRegionLabel, NodeRegionLabelGA) |
| zone := getLabelValue(nodeMeta, NodeZoneLabel, NodeZoneLabelGA) |
| subzone := getLabelValue(nodeMeta, label.TopologySubzone.Name, "") |
| |
| if region == "" && zone == "" && subzone == "" { |
| return "" |
| } |
| |
| return region + "/" + zone + "/" + subzone // Format: "%s/%s/%s" |
| } |
| |
| // InstancesByPort implements a service catalog operation |
| func (c *Controller) InstancesByPort(svc *model.Service, reqSvcPort int, labels labels.Instance) []*model.ServiceInstance { |
| // First get k8s standard service instances and the workload entry instances |
| outInstances := c.endpoints.InstancesByPort(c, svc, reqSvcPort, labels) |
| outInstances = append(outInstances, c.serviceInstancesFromWorkloadInstances(svc, reqSvcPort)...) |
| |
| // return when instances found or an error occurs |
| if len(outInstances) > 0 { |
| return outInstances |
| } |
| |
| // Fall back to external name service since we did not find any instances of normal services |
| c.RLock() |
| externalNameInstances := c.externalNameSvcInstanceMap[svc.Hostname] |
| c.RUnlock() |
| if externalNameInstances != nil { |
| inScopeInstances := make([]*model.ServiceInstance, 0) |
| for _, i := range externalNameInstances { |
| if i.Service.Attributes.Namespace == svc.Attributes.Namespace && i.ServicePort.Port == reqSvcPort { |
| inScopeInstances = append(inScopeInstances, i) |
| } |
| } |
| return inScopeInstances |
| } |
| return nil |
| } |
| |
| func (c *Controller) serviceInstancesFromWorkloadInstances(svc *model.Service, reqSvcPort int) []*model.ServiceInstance { |
| // Run through all the workload instances, select ones that match the service labels |
| // only if this is a kubernetes internal service and of ClientSideLB (eds) type |
| // as InstancesByPort is called by the aggregate controller. We dont want to include |
| // workload instances for any other registry |
| workloadInstancesExist := !c.workloadInstancesIndex.Empty() |
| c.RLock() |
| _, inRegistry := c.servicesMap[svc.Hostname] |
| c.RUnlock() |
| |
| // Only select internal Kubernetes services with selectors |
| if !inRegistry || !workloadInstancesExist || svc.Attributes.ServiceRegistry != provider.Kubernetes || |
| svc.MeshExternal || svc.Resolution != model.ClientSideLB || svc.Attributes.LabelSelectors == nil { |
| return nil |
| } |
| |
| selector := labels.Instance(svc.Attributes.LabelSelectors) |
| |
| // Get the service port name and target port so that we can construct the service instance |
| k8sService, err := c.serviceLister.Services(svc.Attributes.Namespace).Get(svc.Attributes.Name) |
| // We did not find the k8s service. We cannot get the targetPort |
| if err != nil { |
| log.Infof("serviceInstancesFromWorkloadInstances(%s.%s) failed to get k8s service => error %v", |
| svc.Attributes.Name, svc.Attributes.Namespace, err) |
| return nil |
| } |
| |
| var servicePort *model.Port |
| for _, p := range svc.Ports { |
| if p.Port == reqSvcPort { |
| servicePort = p |
| break |
| } |
| } |
| if servicePort == nil { |
| return nil |
| } |
| |
| // Now get the target Port for this service port |
| targetPort := findServiceTargetPort(servicePort, k8sService) |
| if targetPort.num == 0 { |
| targetPort.num = servicePort.Port |
| } |
| |
| out := make([]*model.ServiceInstance, 0) |
| |
| c.workloadInstancesIndex.ForEach(func(wi *model.WorkloadInstance) { |
| if wi.Namespace != svc.Attributes.Namespace { |
| return |
| } |
| if selector.SubsetOf(wi.Endpoint.Labels) { |
| instance := serviceInstanceFromWorkloadInstance(svc, servicePort, targetPort, wi) |
| if instance != nil { |
| out = append(out, instance) |
| } |
| } |
| }) |
| return out |
| } |
| |
| func serviceInstanceFromWorkloadInstance(svc *model.Service, servicePort *model.Port, |
| targetPort serviceTargetPort, wi *model.WorkloadInstance) *model.ServiceInstance { |
| // create an instance with endpoint whose service port name matches |
| istioEndpoint := *wi.Endpoint |
| |
| // by default, use the numbered targetPort |
| istioEndpoint.EndpointPort = uint32(targetPort.num) |
| |
| if targetPort.name != "" { |
| // This is a named port, find the corresponding port in the port map |
| matchedPort := wi.PortMap[targetPort.name] |
| if matchedPort != 0 { |
| istioEndpoint.EndpointPort = matchedPort |
| } else if targetPort.explicitName { |
| // No match found, and we expect the name explicitly in the service, skip this endpoint |
| return nil |
| } |
| } |
| |
| istioEndpoint.ServicePortName = servicePort.Name |
| return &model.ServiceInstance{ |
| Service: svc, |
| ServicePort: servicePort, |
| Endpoint: &istioEndpoint, |
| } |
| } |
| |
| // convenience function to collect all workload entry endpoints in updateEDS calls. |
| func (c *Controller) collectWorkloadInstanceEndpoints(svc *model.Service) []*model.IstioEndpoint { |
| workloadInstancesExist := !c.workloadInstancesIndex.Empty() |
| |
| if !workloadInstancesExist || svc.Resolution != model.ClientSideLB || len(svc.Ports) == 0 { |
| return nil |
| } |
| |
| endpoints := make([]*model.IstioEndpoint, 0) |
| for _, port := range svc.Ports { |
| for _, instance := range c.serviceInstancesFromWorkloadInstances(svc, port.Port) { |
| endpoints = append(endpoints, instance.Endpoint) |
| } |
| } |
| |
| return endpoints |
| } |
| |
| // GetProxyServiceInstances returns service instances co-located with a given proxy |
| // TODO: this code does not return k8s service instances when the proxy's IP is a workload entry |
| // To tackle this, we need a ip2instance map like what we have in service entry. |
| func (c *Controller) GetProxyServiceInstances(proxy *model.Proxy) []*model.ServiceInstance { |
| if len(proxy.IPAddresses) > 0 { |
| proxyIP := proxy.IPAddresses[0] |
| // look up for a WorkloadEntry; if there are multiple WorkloadEntry(s) |
| // with the same IP, choose one deterministically |
| workload := workloadinstances.GetInstanceForProxy(c.workloadInstancesIndex, proxy, proxyIP) |
| if workload != nil { |
| return c.serviceInstancesFromWorkloadInstance(workload) |
| } |
| pod := c.pods.getPodByProxy(proxy) |
| if pod != nil && !proxy.IsVM() { |
| // we don't want to use this block for our test "VM" which is actually a Pod. |
| |
| if !c.isControllerForProxy(proxy) { |
| log.Errorf("proxy is in cluster %v, but controller is for cluster %v", proxy.Metadata.ClusterID, c.Cluster()) |
| return nil |
| } |
| |
| // 1. find proxy service by label selector, if not any, there may exist headless service without selector |
| // failover to 2 |
| if services, err := getPodServices(c.serviceLister, pod); err == nil && len(services) > 0 { |
| out := make([]*model.ServiceInstance, 0) |
| for _, svc := range services { |
| out = append(out, c.getProxyServiceInstancesByPod(pod, svc, proxy)...) |
| } |
| return out |
| } |
| // 2. Headless service without selector |
| return c.endpoints.GetProxyServiceInstances(c, proxy) |
| } |
| |
| // 3. The pod is not present when this is called |
| // due to eventual consistency issues. However, we have a lot of information about the pod from the proxy |
| // metadata already. Because of this, we can still get most of the information we need. |
| // If we cannot accurately construct ServiceInstances from just the metadata, this will return an error and we can |
| // attempt to read the real pod. |
| out, err := c.getProxyServiceInstancesFromMetadata(proxy) |
| if err != nil { |
| log.Warnf("getProxyServiceInstancesFromMetadata for %v failed: %v", proxy.ID, err) |
| } |
| return out |
| } |
| |
| // TODO: This could not happen, remove? |
| if c.opts.Metrics != nil { |
| c.opts.Metrics.AddMetric(model.ProxyStatusNoService, proxy.ID, proxy.ID, "") |
| } else { |
| log.Infof("Missing metrics env, empty list of services for pod %s", proxy.ID) |
| } |
| return nil |
| } |
| |
| func (c *Controller) serviceInstancesFromWorkloadInstance(si *model.WorkloadInstance) []*model.ServiceInstance { |
| out := make([]*model.ServiceInstance, 0) |
| // find the workload entry's service by label selector |
| // rather than scanning through our internal map of model.services, get the services via the k8s apis |
| dummyPod := &v1.Pod{ |
| ObjectMeta: metav1.ObjectMeta{Namespace: si.Namespace, Labels: si.Endpoint.Labels}, |
| } |
| |
| // find the services that map to this workload entry, fire off eds updates if the service is of type client-side lb |
| if k8sServices, err := getPodServices(c.serviceLister, dummyPod); err == nil && len(k8sServices) > 0 { |
| for _, k8sSvc := range k8sServices { |
| service := c.GetService(kube.ServiceHostname(k8sSvc.Name, k8sSvc.Namespace, c.opts.DomainSuffix)) |
| // Note that this cannot be an external service because k8s external services do not have label selectors. |
| if service == nil || service.Resolution != model.ClientSideLB { |
| // may be a headless service |
| continue |
| } |
| |
| for _, servicePort := range service.Ports { |
| if servicePort.Protocol == protocol.UDP { |
| continue |
| } |
| |
| // Now get the target Port for this service port |
| targetPort := findServiceTargetPort(servicePort, k8sSvc) |
| if targetPort.num == 0 { |
| targetPort.num = servicePort.Port |
| } |
| |
| instance := serviceInstanceFromWorkloadInstance(service, servicePort, targetPort, si) |
| if instance != nil { |
| out = append(out, instance) |
| } |
| } |
| } |
| } |
| return out |
| } |
| |
| // WorkloadInstanceHandler defines the handler for service instances generated by other registries |
| func (c *Controller) WorkloadInstanceHandler(si *model.WorkloadInstance, event model.Event) { |
| // ignore malformed workload entries. And ignore any workload entry that does not have a label |
| // as there is no way for us to select them |
| if si.Namespace == "" || len(si.Endpoint.Labels) == 0 { |
| return |
| } |
| |
| // this is from a workload entry. Store it in separate index so that |
| // the InstancesByPort can use these as well as the k8s pods. |
| switch event { |
| case model.EventDelete: |
| c.workloadInstancesIndex.Delete(si) |
| default: // add or update |
| c.workloadInstancesIndex.Insert(si) |
| } |
| |
| // find the workload entry's service by label selector |
| // rather than scanning through our internal map of model.services, get the services via the k8s apis |
| dummyPod := &v1.Pod{ |
| ObjectMeta: metav1.ObjectMeta{Namespace: si.Namespace, Labels: si.Endpoint.Labels}, |
| } |
| |
| shard := model.ShardKeyFromRegistry(c) |
| // find the services that map to this workload entry, fire off eds updates if the service is of type client-side lb |
| if k8sServices, err := getPodServices(c.serviceLister, dummyPod); err == nil && len(k8sServices) > 0 { |
| for _, k8sSvc := range k8sServices { |
| service := c.GetService(kube.ServiceHostname(k8sSvc.Name, k8sSvc.Namespace, c.opts.DomainSuffix)) |
| // Note that this cannot be an external service because k8s external services do not have label selectors. |
| if service == nil || service.Resolution != model.ClientSideLB { |
| // may be a headless service |
| continue |
| } |
| |
| // Get the updated list of endpoints that includes k8s pods and the workload entries for this service |
| // and then notify the EDS server that endpoints for this service have changed. |
| // We need one endpoint object for each service port |
| endpoints := make([]*model.IstioEndpoint, 0) |
| for _, port := range service.Ports { |
| if port.Protocol == protocol.UDP { |
| continue |
| } |
| // Similar code as UpdateServiceShards in eds.go |
| instances := c.InstancesByPort(service, port.Port, nil) |
| for _, inst := range instances { |
| endpoints = append(endpoints, inst.Endpoint) |
| } |
| } |
| // fire off eds update |
| c.opts.XDSUpdater.EDSUpdate(shard, string(service.Hostname), service.Attributes.Namespace, endpoints) |
| } |
| } |
| } |
| |
| func (c *Controller) onSystemNamespaceEvent(obj interface{}, ev model.Event) error { |
| if ev == model.EventDelete { |
| return nil |
| } |
| ns, ok := obj.(*v1.Namespace) |
| if !ok { |
| log.Warnf("Namespace watch getting wrong type in event: %T", obj) |
| return nil |
| } |
| if ns == nil { |
| return nil |
| } |
| nw := ns.Labels[label.TopologyNetwork.Name] |
| c.Lock() |
| oldDefaultNetwork := c.network |
| c.network = network.ID(nw) |
| c.Unlock() |
| // network changed, rarely happen |
| if oldDefaultNetwork != c.network { |
| // refresh pods/endpoints/services |
| c.onDefaultNetworkChange() |
| } |
| return nil |
| } |
| |
| // isControllerForProxy should be used for proxies assumed to be in the kube cluster for this controller. Workload Entries |
| // may not necessarily pass this check, but we still want to allow kube services to select workload instances. |
| func (c *Controller) isControllerForProxy(proxy *model.Proxy) bool { |
| return proxy.Metadata.ClusterID == "" || proxy.Metadata.ClusterID == c.Cluster() |
| } |
| |
| // getProxyServiceInstancesFromMetadata retrieves ServiceInstances using proxy Metadata rather than |
| // from the Pod. This allows retrieving Instances immediately, regardless of delays in Kubernetes. |
| // If the proxy doesn't have enough metadata, an error is returned |
| func (c *Controller) getProxyServiceInstancesFromMetadata(proxy *model.Proxy) ([]*model.ServiceInstance, error) { |
| if len(proxy.Metadata.Labels) == 0 { |
| return nil, nil |
| } |
| |
| if !c.isControllerForProxy(proxy) { |
| return nil, fmt.Errorf("proxy is in cluster %v, but controller is for cluster %v", proxy.Metadata.ClusterID, c.Cluster()) |
| } |
| |
| // Create a pod with just the information needed to find the associated Services |
| dummyPod := &v1.Pod{ |
| ObjectMeta: metav1.ObjectMeta{ |
| Namespace: proxy.ConfigNamespace, |
| Labels: proxy.Metadata.Labels, |
| }, |
| } |
| |
| // Find the Service associated with the pod. |
| services, err := getPodServices(c.serviceLister, dummyPod) |
| if err != nil { |
| return nil, fmt.Errorf("error getting instances for %s: %v", proxy.ID, err) |
| } |
| if len(services) == 0 { |
| return nil, fmt.Errorf("no instances found for %s: %v", proxy.ID, err) |
| } |
| |
| out := make([]*model.ServiceInstance, 0) |
| for _, svc := range services { |
| hostname := kube.ServiceHostname(svc.Name, svc.Namespace, c.opts.DomainSuffix) |
| modelService := c.GetService(hostname) |
| if modelService == nil { |
| return nil, fmt.Errorf("failed to find model service for %v", hostname) |
| } |
| |
| for _, modelService := range c.servicesForNamespacedName(kube.NamespacedNameForK8sObject(svc)) { |
| discoverabilityPolicy := c.exports.EndpointDiscoverabilityPolicy(modelService) |
| |
| tps := make(map[model.Port]*model.Port) |
| tpsList := make([]model.Port, 0) |
| for _, port := range svc.Spec.Ports { |
| svcPort, f := modelService.Ports.Get(port.Name) |
| if !f { |
| return nil, fmt.Errorf("failed to get svc port for %v", port.Name) |
| } |
| |
| var portNum int |
| if len(proxy.Metadata.PodPorts) > 0 { |
| portNum, err = findPortFromMetadata(port, proxy.Metadata.PodPorts) |
| if err != nil { |
| return nil, fmt.Errorf("failed to find target port for %v: %v", proxy.ID, err) |
| } |
| } else { |
| // most likely a VM - we assume the WorkloadEntry won't remap any ports |
| portNum = port.TargetPort.IntValue() |
| } |
| |
| // Dedupe the target ports here - Service might have configured multiple ports to the same target port, |
| // we will have to create only one ingress listener per port and protocol so that we do not endup |
| // complaining about listener conflicts. |
| targetPort := model.Port{ |
| Port: portNum, |
| Protocol: svcPort.Protocol, |
| } |
| if _, exists := tps[targetPort]; !exists { |
| tps[targetPort] = svcPort |
| tpsList = append(tpsList, targetPort) |
| } |
| } |
| |
| epBuilder := NewEndpointBuilderFromMetadata(c, proxy) |
| // Iterate over target ports in the same order as defined in service spec, in case of |
| // protocol conflict for a port causes unstable protocol selection for a port. |
| for _, tp := range tpsList { |
| svcPort := tps[tp] |
| // consider multiple IP scenarios |
| for _, ip := range proxy.IPAddresses { |
| // Construct the ServiceInstance |
| out = append(out, &model.ServiceInstance{ |
| Service: modelService, |
| ServicePort: svcPort, |
| Endpoint: epBuilder.buildIstioEndpoint(ip, int32(tp.Port), svcPort.Name, discoverabilityPolicy), |
| }) |
| } |
| } |
| } |
| } |
| return out, nil |
| } |
| |
| func (c *Controller) getProxyServiceInstancesByPod(pod *v1.Pod, |
| service *v1.Service, proxy *model.Proxy) []*model.ServiceInstance { |
| var out []*model.ServiceInstance |
| |
| for _, svc := range c.servicesForNamespacedName(kube.NamespacedNameForK8sObject(service)) { |
| discoverabilityPolicy := c.exports.EndpointDiscoverabilityPolicy(svc) |
| |
| tps := make(map[model.Port]*model.Port) |
| tpsList := make([]model.Port, 0) |
| for _, port := range service.Spec.Ports { |
| svcPort, exists := svc.Ports.Get(port.Name) |
| if !exists { |
| continue |
| } |
| // find target port |
| portNum, err := FindPort(pod, &port) |
| if err != nil { |
| log.Warnf("Failed to find port for service %s/%s: %v", service.Namespace, service.Name, err) |
| continue |
| } |
| // Dedupe the target ports here - Service might have configured multiple ports to the same target port, |
| // we will have to create only one ingress listener per port and protocol so that we do not endup |
| // complaining about listener conflicts. |
| targetPort := model.Port{ |
| Port: portNum, |
| Protocol: svcPort.Protocol, |
| } |
| if _, exists := tps[targetPort]; !exists { |
| tps[targetPort] = svcPort |
| tpsList = append(tpsList, targetPort) |
| } |
| } |
| |
| builder := NewEndpointBuilder(c, pod) |
| // Iterate over target ports in the same order as defined in service spec, in case of |
| // protocol conflict for a port causes unstable protocol selection for a port. |
| for _, tp := range tpsList { |
| svcPort := tps[tp] |
| // consider multiple IP scenarios |
| for _, ip := range proxy.IPAddresses { |
| istioEndpoint := builder.buildIstioEndpoint(ip, int32(tp.Port), svcPort.Name, discoverabilityPolicy) |
| out = append(out, &model.ServiceInstance{ |
| Service: svc, |
| ServicePort: svcPort, |
| Endpoint: istioEndpoint, |
| }) |
| } |
| } |
| } |
| |
| return out |
| } |
| |
| func (c *Controller) GetProxyWorkloadLabels(proxy *model.Proxy) labels.Instance { |
| pod := c.pods.getPodByProxy(proxy) |
| if pod != nil { |
| return pod.Labels |
| } |
| return nil |
| } |
| |
| // GetIstioServiceAccounts returns the Istio service accounts running a service |
| // hostname. Each service account is encoded according to the SPIFFE VSID spec. |
| // For example, a service account named "bar" in namespace "foo" is encoded as |
| // "spiffe://cluster.local/ns/foo/sa/bar". |
| func (c *Controller) GetIstioServiceAccounts(svc *model.Service, ports []int) []string { |
| return model.GetServiceAccounts(svc, ports, c) |
| } |
| |
| // AppendServiceHandler implements a service catalog operation |
| func (c *Controller) AppendServiceHandler(f func(*model.Service, model.Event)) { |
| c.handlers.AppendServiceHandler(f) |
| } |
| |
| // AppendWorkloadHandler implements a service catalog operation |
| func (c *Controller) AppendWorkloadHandler(f func(*model.WorkloadInstance, model.Event)) { |
| c.handlers.AppendWorkloadHandler(f) |
| } |
