Default exports, and config root namespace (istio#11387)

* default exportTo flags Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * format Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nit Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * compile fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm stuff Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * istio-config namespace and default sidecar scope Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * spell fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * nits Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * reorder initialization steps Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test compile fixes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * helm tweaks Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * missing helm file * allow ~ in sidecar imports Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * bad copy paste Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * test fix Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undo framework change Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * Revert "bad copy paste" This reverts commit 934b54a. * Revert "missing helm file" This reverts commit 992685d. * Revert "helm tweaks" This reverts commit 5b78b92. * redos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * lists Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * quotes Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * tests Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com> * undos Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
qfel · Feb 14, 2019 · 0eecb3c · 0eecb3c
1 parent 612ada7
commit 0eecb3c
Show file tree

Hide file tree

Showing 46 changed files with 2,081 additions and 1,010 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/install/kubernetes/global-default-sidecar-scope.yaml b/install/kubernetes/global-default-sidecar-scope.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-config
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: default-sidecar-scope
+  namespace: istio-config
+spec:
+  egress:
+    # If this config is applied, sidecars will only be able to talk to
+    # other services in the same namespace, in addition to istio-telemetry
+    # and istio-policy
+  - hosts:
+    - "./*"
+    - "istio-system/istio-telemetry.istio-system.svc.cluster.local"
+    - "istio-system/istio-policy.istio-system.svc.cluster.local"
+---
diff --git a/install/kubernetes/helm/istio/templates/configmap.yaml b/install/kubernetes/helm/istio/templates/configmap.yaml
@@ -85,6 +85,30 @@ data:
     outboundTrafficPolicy:
       mode: {{ .Values.global.outboundTrafficPolicy.mode }}
 
+    {{- if .Values.global.configRootNamespace }}
+    # The namespace to treat as the administrative root namespace for istio
+    # configuration. Set this field to a dedicated namespace if you want to
+    # all sidecars to be able to communicate with services in their
+    # namespace alone. This dedicated namespace should have a default
+    # Sidecar config
+    rootNamespace: {{ .Values.global.configRootNamespace }}
+    {{- end }}
+
+    {{- if .Values.global.defaultConfigVisibilitySettings }}
+    defaultServiceExportTo:
+      {{- range .Values.global.defaultConfigVisibilitySettings }}
+      - {{ . | quote }}
+      {{- end }}
+    defaultVirtualServiceExportTo:
+      {{- range .Values.global.defaultConfigVisibilitySettings }}
+      - {{ . | quote }}
+      {{- end }}
+    defaultDestinationRuleExportTo:
+      {{- range .Values.global.defaultConfigVisibilitySettings }}
+      - {{ . | quote }}
+      {{- end }}
+    {{- end }}
+
     defaultConfig:
       #
       # TCP connection timeout between Envoy & the application, and between Envoys.

diff --git a/install/kubernetes/helm/istio/values.yaml b/install/kubernetes/helm/istio/values.yaml
@@ -134,7 +134,7 @@ global:
     resources:
       requests:
         cpu: 10m
-        memory: 30Mi
+      #  memory: 128Mi
       # limits:
       #   cpu: 100m
       #   memory: 128Mi
@@ -259,7 +259,7 @@ global:
   # to use for pulling any images in pods that reference this ServiceAccount.
   # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
   # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
-  # Must be set for any cluster configured with private docker registry.
+  # Must be set for any clustser configured with private docker registry.
   imagePullSecrets:
     # - private-registry-key
 
@@ -277,9 +277,9 @@ global:
   # If not set, controller watches all namespaces
   oneNamespace: false
 
-  # Default node selector to be applied to all deployments so that all pods can be
-  # constrained to run a particular nodes. Each component can overwrite these default
-  # values by adding its node selector block in the relevant section below and setting
+  # Default node selector to be applied to all deployments so that all pods can be 
+  # constrained to run a particular nodes. Each component can overwrite these default 
+  # values by adding its node selector block in the relevant section below and setting 
   # the desired values.
   defaultNodeSelector: {}
 
@@ -320,7 +320,7 @@ global:
   defaultResources:
     requests:
       cpu: 10m
-      memory: 30Mi
+    #   memory: 128Mi
     # limits:
     #   cpu: 100m
     #   memory: 128Mi
@@ -359,6 +359,19 @@ global:
   outboundTrafficPolicy:
     mode: REGISTRY_ONLY
 
+  # The namespace where globally shared configurations should be present.
+  # DestinationRules that apply to the entire mesh (e.g., enabling mTLS),
+  # default Sidecar configs, etc. should be added to this namespace.
+  # configRootNamespace: istio-config
+
+  # set the default set of namespaces to which services, service entries, virtual services, destination
+  # rules should be exported to. Currently only one value can be provided in this list. This value
+  # should be one of the following two options:
+  # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
+  # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host  
+  defaultConfigVisibilitySettings:
+  - '*'
+
   sds:
     # SDS enabled. IF set to true, mTLS certificates for the sidecars will be
     # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.

diff --git a/install/kubernetes/helm/subcharts/mixer/templates/service.yaml b/install/kubernetes/helm/subcharts/mixer/templates/service.yaml
@@ -6,6 +6,8 @@ kind: Service
 metadata:
   name: istio-{{ $key }}
   namespace: {{ $.Release.Namespace }}
+  annotations:
+   networking.istio.io/exportTo: "*"
   labels:
     app: {{ template "mixer.name" $ }}
     chart: {{ template "mixer.chart" $ }}

diff --git a/mixer/test/client/env/ports.go b/mixer/test/client/env/ports.go
@@ -61,6 +61,7 @@ const (
 	RbacGlobalPermissiveTest
 	RbacPolicyPermissiveTest
 	GatewayTest
+	SidecarTest
 
 	// The number of total tests. has to be the last one.
 	maxTestNum

diff --git a/pilot/pkg/model/context.go b/pilot/pkg/model/context.go
@@ -146,7 +146,7 @@ func (node *Proxy) ServiceNode() string {
 
 // GetProxyVersion returns the proxy version string identifier, and whether it is present.
 func (node *Proxy) GetProxyVersion() (string, bool) {
-	version, found := node.Metadata["ISTIO_PROXY_VERSION"]
+	version, found := node.Metadata[NodeMetadataIstioProxyVersion]
 	return version, found
 }
 
@@ -164,7 +164,7 @@ const (
 // GetRouterMode returns the operating mode associated with the router.
 // Assumes that the proxy is of type Router
 func (node *Proxy) GetRouterMode() RouterMode {
-	if modestr, found := node.Metadata["ROUTER_MODE"]; found {
+	if modestr, found := node.Metadata[NodeMetadataRouterMode]; found {
 		switch RouterMode(modestr) {
 		case SniDnatRouter:
 			return SniDnatRouter
@@ -214,7 +214,7 @@ func GetNetworkView(node *Proxy) map[string]bool {
 	}
 
 	nmap := make(map[string]bool)
-	if networks, found := node.Metadata["REQUESTED_NETWORK_VIEW"]; found {
+	if networks, found := node.Metadata[NodeMetadataRequestedNetworkView]; found {
 		for _, n := range strings.Split(networks, ",") {
 			nmap[n] = true
 		}
@@ -265,7 +265,7 @@ func ParseServiceNodeWithMetadata(s string, metadata map[string]string) (*Proxy,
 	}
 
 	// Get all IP Addresses from Metadata
-	if ipstr, found := metadata["ISTIO_META_INSTANCE_IPS"]; found {
+	if ipstr, found := metadata[NodeMetadataInstanceIPs]; found {
 		ipAddresses, err := parseIPAddresses(ipstr)
 		if err == nil {
 			out.IPAddresses = ipAddresses
@@ -488,6 +488,9 @@ func isValidIPAddress(ip string) bool {
 // Pile all node metadata constants here
 const (
 
+	// NodeMetadataIstioProxyVersion specifies the Envoy version associated with the proxy
+	NodeMetadataIstioProxyVersion = "ISTIO_PROXY_VERSION"
+
 	// NodeMetadataNetwork defines the network the node belongs to. It is an optional metadata,
 	// set at injection time. When set, the Endpoints returned to a note and not on same network
 	// will be replaced with the gateway defined in the settings.
@@ -504,6 +507,16 @@ const (
 	// NodeMetadataSidecarUID is the user ID running envoy. Pilot can check if envoy runs as root, and may generate
 	// different configuration. If not set, the default istio-proxy UID (1337) is assumed.
 	NodeMetadataSidecarUID = "SIDECAR_UID"
+
+	// NodeMetadataRequestedNetworkView specifies the networks that the proxy wants to see
+	NodeMetadataRequestedNetworkView = "REQUESTED_NETWORK_VIEW"
+
+	// NodeMetadataRouterMode indicates whether the proxy is functioning as a SNI-DNAT router
+	// processing the AUTO_PASSTHROUGH gateway servers
+	NodeMetadataRouterMode = "ROUTER_MODE"
+
+	// NodeMetadataInstanceIPs is the set of IPs attached to this proxy
+	NodeMetadataInstanceIPs = "INSTANCE_IPS"
 )
 
 // TrafficInterceptionMode indicates how traffic to/from the workload is captured and

diff --git a/pilot/pkg/model/context_test.go b/pilot/pkg/model/context_test.go
@@ -49,7 +49,7 @@ func TestServiceNode(t *testing.T) {
 				IPAddresses: []string{"10.3.3.3", "10.4.4.4", "10.5.5.5", "10.6.6.6"},
 				DNSDomain:   "local",
 				Metadata: map[string]string{
-					"ISTIO_META_INSTANCE_IPS": "10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6",
+					"INSTANCE_IPS": "10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6",
 				},
 			},
 			out: "sidecar~10.3.3.3~random~local",

diff --git a/pilot/pkg/model/destination_rule.go b/pilot/pkg/model/destination_rule.go
@@ -20,7 +20,10 @@ import (
 	networking "istio.io/api/networking/v1alpha3"
 )
 
-// combineSingleDestinationRule concatenates the destRuleConfig with the existing combinedDestinationRuleMap
+// This function merges one or more destination rules for a given host string
+// into a single destination rule. Note that it does not perform inheritance style merging.
+// IOW, given three dest rules (*.foo.com, *.foo.com, *.com), calling this function for
+// each config will result in a final dest rule set (*.foo.com, and *.com).
 func (ps *PushContext) combineSingleDestinationRule(
 	combinedDestRuleHosts []Hostname,
 	combinedDestRuleMap map[Hostname]*combinedDestinationRule,