From 5c94411f749ed8ea6f6df3c7ab413a1f49755f1d Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 6 Sep 2024 11:44:28 -0400 Subject: [PATCH 1/6] Automator: update istio/client-go@release-1.23 dependency in istio/istio@release-1.23 (#53032) --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index df12d677d8ed..a61ed9ba511f 100644 --- a/go.mod +++ b/go.mod @@ -98,8 +98,8 @@ require ( gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.15.1 - istio.io/api v1.23.1-0.20240821135524-978ac3b543c0 - istio.io/client-go v1.23.1-0.20240821140023-42f73330498c + istio.io/api v1.23.1-0.20240906150629-ba126bb830f0 + istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43 k8s.io/api v0.30.1 k8s.io/apiextensions-apiserver v0.30.1 k8s.io/apimachinery v0.30.1 diff --git a/go.sum b/go.sum index 978b9b45c1e3..fd6320327765 100644 --- a/go.sum +++ b/go.sum @@ -1009,10 +1009,10 @@ helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -istio.io/api v1.23.1-0.20240821135524-978ac3b543c0 h1:WO2cBln4Hjm+M8S8wExj+g/eZ46cFaqoJSLgdTwKWOk= -istio.io/api v1.23.1-0.20240821135524-978ac3b543c0/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM= -istio.io/client-go v1.23.1-0.20240821140023-42f73330498c h1:EfBRgH6Oyi4pR1+SPzQn60u+PZ6uMdtchUCv3IjG3/Y= -istio.io/client-go v1.23.1-0.20240821140023-42f73330498c/go.mod h1:+fxu+O2GkITM3HEREUWdobvRXqI/UhAAI7hfxqqpRh0= +istio.io/api v1.23.1-0.20240906150629-ba126bb830f0 h1:utRdmZryJWw71X1flREUJFLk56QCl2JdVuP3xsvDcMI= +istio.io/api v1.23.1-0.20240906150629-ba126bb830f0/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM= +istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43 h1:/HbrtBiDEiTsQRrzkdcfNgKr+GUp/JFWc5U3ZL/QUmk= +istio.io/client-go v1.23.1-0.20240906150928-c84358ed0e43/go.mod h1:E08wpMtUulJk2tlWOCUVakjy1bKFxUNm22tM1R1QY0Y= k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78= k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4= k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= From 3b48d2dfd15c393447eada96fca36b4e22654b37 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 9 Sep 2024 15:43:31 -0400 Subject: [PATCH 2/6] Fix tests when ingress gateway deployed in custom namespace (#53059) Signed-off-by: Andrej Smigala Co-authored-by: Andrej Smigala --- tests/integration/pilot/gateway_test.go | 4 ++-- tests/integration/pilot/istioctl_test.go | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/integration/pilot/gateway_test.go b/tests/integration/pilot/gateway_test.go index 02393a5391d3..5dcf98230d03 100644 --- a/tests/integration/pilot/gateway_test.go +++ b/tests/integration/pilot/gateway_test.go @@ -637,7 +637,7 @@ func TestGatewayReadinessProbes(t *testing.T) { Run(func(t framework.TestContext) { c := t.Clusters().Default() var svc *corev1.Service - svc, _, err := testKube.WaitUntilServiceEndpointsAreReady(c.Kube(), "istio-system", "istio-ingressgateway") + svc, _, err := testKube.WaitUntilServiceEndpointsAreReady(c.Kube(), i.IngressFor(c).Namespace(), "istio-ingressgateway") if err != nil { t.Fatalf("error getting ingress gateway svc ips: %v", err) } @@ -669,7 +669,7 @@ func TestGatewayMetricsEndpoints(t *testing.T) { RequiresLocalControlPlane(). Run(func(t framework.TestContext) { c := t.Clusters().Default() - podIPs, err := i.PodIPsFor(c, i.Settings().SystemNamespace, "app=istio-ingressgateway") + podIPs, err := i.PodIPsFor(c, i.IngressFor(c).Namespace(), "app=istio-ingressgateway") if err != nil { t.Fatalf("error getting ingress gateway pod ips: %v", err) } diff --git a/tests/integration/pilot/istioctl_test.go b/tests/integration/pilot/istioctl_test.go index d7e47ac790da..e78272eb18fd 100644 --- a/tests/integration/pilot/istioctl_test.go +++ b/tests/integration/pilot/istioctl_test.go @@ -369,7 +369,8 @@ func TestAuthZCheck(t *testing.T) { "GatewayIstioLabel": istioLabel, }, "testdata/authz-b.yaml").ApplyOrFail(t) - gwPod, err := i.IngressFor(t.Clusters().Default()).PodID(0) + ingress := i.IngressFor(t.Clusters().Default()) + gwPod, err := ingress.PodID(0) if err != nil { t.Fatalf("Could not get Pod ID: %v", err) } @@ -385,7 +386,7 @@ func TestAuthZCheck(t *testing.T) { }{ { name: "ingressgateway", - pod: fmt.Sprintf("%s.%s", gwPod, i.Settings().SystemNamespace), + pod: fmt.Sprintf("%s.%s", gwPod, ingress.Namespace()), wants: []*regexp.Regexp{ regexp.MustCompile(fmt.Sprintf(`DENY\s+deny-policy\.%s\s+2`, i.Settings().SystemNamespace)), regexp.MustCompile(fmt.Sprintf(`ALLOW\s+allow-policy\.%s\s+1`, i.Settings().SystemNamespace)), From 02435e7af04cedf10fd4aadc4c79e64b8c6bd41c Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 10 Sep 2024 18:02:33 -0400 Subject: [PATCH 3/6] Automator: update ztunnel@release-1.23 in istio/istio@release-1.23 (#53079) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 75dfa147b28d..98b7e7ba5385 100644 --- a/istio.deps +++ b/istio.deps @@ -11,6 +11,6 @@ "name": "ZTUNNEL_REPO_SHA", "repoName": "ztunnel", "file": "", - "lastStableSHA": "245ecc111ba1cbe9bd2923f24be609e656a191ad" + "lastStableSHA": "3ead5b81415936e1d3d7f4e81b0d87178817b289" } ] From 971c3666a71f4be068774c612111434831b538b2 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Wed, 11 Sep 2024 11:53:34 -0400 Subject: [PATCH 4/6] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53093) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 98b7e7ba5385..3e39e7d5c002 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "9da6ab5663bca846996adcb4414dc6bf7bf0d3eb" + "lastStableSHA": "f089793b409f2655334bd1a1adec213ac03b1035" }, { "_comment": "", From b56f6a27a06667e9049c4639c46cb84bc93deabe Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 13 Sep 2024 11:49:12 -0400 Subject: [PATCH 5/6] Automator: update proxy@release-1.23 in istio/istio@release-1.23 (#53129) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 3e39e7d5c002..29b0a0489380 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "f089793b409f2655334bd1a1adec213ac03b1035" + "lastStableSHA": "94ed360d6e7afb84546716e194b4c2fcc601e651" }, { "_comment": "", From da0b3f29e9f9eef387691bdf5870a6d665c704c9 Mon Sep 17 00:00:00 2001 From: "Jackie Maertens (Elliott)" <64559656+jaellio@users.noreply.github.com> Date: Tue, 17 Sep 2024 12:00:16 -0700 Subject: [PATCH 6/6] [release-1.23] Update proxy repo SHA for release-1.23.2 (#139) * [release-1.23] Update proxy repo SHA for release-1.23.2 Signed-off-by: Jackie Elliott * Explicitly set internal addresses in Http Connection Manager when PILOT_SIDECAR_USE_REMOTE_ADDRESS is set to true for the sidecar. Signed-off-by: Jackie Elliott * Add unit test for setting runtimeValues in envoy config Signed-off-by: Jackie Elliott * Update SHA Signed-off-by: Jackie Elliott * Make gen on explicit internal address golden Signed-off-by: Jackie Elliott * Fix SHA Signed-off-by: Jackie Elliott * Use httpOpts instead of features useRemoteAddress to ensure it is only set for outbound sidecars Signed-off-by: Jackie Elliott --------- Signed-off-by: Jackie Elliott --- istio.deps | 2 +- pilot/pkg/networking/core/listener_builder.go | 5 +- .../networking/core/listener_builder_test.go | 69 +++ pkg/bootstrap/instance_test.go | 3 + .../explicit_internal_address.proxycfg | 12 + .../explicit_internal_address_golden.json | 433 ++++++++++++++++++ 6 files changed, 522 insertions(+), 2 deletions(-) create mode 100644 pkg/bootstrap/testdata/explicit_internal_address.proxycfg create mode 100644 pkg/bootstrap/testdata/explicit_internal_address_golden.json diff --git a/istio.deps b/istio.deps index 29b0a0489380..71f20d16bab2 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "94ed360d6e7afb84546716e194b4c2fcc601e651" + "lastStableSHA": "6c72b2179f5a58988b920a55b0be8346de3f7b35" }, { "_comment": "", diff --git a/pilot/pkg/networking/core/listener_builder.go b/pilot/pkg/networking/core/listener_builder.go index 33735da106b3..4176eca04279 100644 --- a/pilot/pkg/networking/core/listener_builder.go +++ b/pilot/pkg/networking/core/listener_builder.go @@ -421,7 +421,10 @@ func (lb *ListenerBuilder) buildHTTPConnectionManager(httpOpts *httpListenerOpts connectionManager.HttpFilters = filters connectionManager.RequestIdExtension = requestidextension.BuildUUIDRequestIDExtension(reqIDExtensionCtx) - if features.EnableHCMInternalNetworks && lb.push.Networks != nil { + // If UseRemoteAddress is set, we must set the internal address config in preparation for envoy + // internal addresses defaulting to empty set. Currently, the internal addresses defaulted to + // all private IPs but this will change in the future. + if (features.EnableHCMInternalNetworks || httpOpts.useRemoteAddress) && lb.push.Networks != nil { for _, internalnetwork := range lb.push.Networks.Networks { iac := &hcm.HttpConnectionManager_InternalAddressConfig{} for _, ne := range internalnetwork.Endpoints { diff --git a/pilot/pkg/networking/core/listener_builder_test.go b/pilot/pkg/networking/core/listener_builder_test.go index 06f98da5b921..b5b58ad40413 100644 --- a/pilot/pkg/networking/core/listener_builder_test.go +++ b/pilot/pkg/networking/core/listener_builder_test.go @@ -844,6 +844,75 @@ func TestHCMInternalAddressConfig(t *testing.T) { } } +func TestUseRemoteAddressInternalAddressConfig(t *testing.T) { + cg := NewConfigGenTest(t, TestOptions{}) + sidecarProxy := cg.SetupProxy(&model.Proxy{ConfigNamespace: "not-default"}) + push := cg.PushContext() + cases := []struct { + name string + networks *meshconfig.MeshNetworks + expectedconfig *hcm.HttpConnectionManager_InternalAddressConfig + }{ + { + name: "nil networks", + expectedconfig: nil, + }, + { + name: "empty networks", + networks: &meshconfig.MeshNetworks{}, + expectedconfig: nil, + }, + { + name: "networks populated", + networks: &meshconfig.MeshNetworks{ + Networks: map[string]*meshconfig.Network{ + "default": { + Endpoints: []*meshconfig.Network_NetworkEndpoints{ + { + Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{ + FromCidr: "192.168.0.0/16", + }, + }, + { + Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{ + FromCidr: "172.16.0.0/12", + }, + }, + }, + }, + }, + }, + expectedconfig: &hcm.HttpConnectionManager_InternalAddressConfig{ + CidrRanges: []*core.CidrRange{ + { + AddressPrefix: "192.168.0.0", + PrefixLen: &wrapperspb.UInt32Value{Value: 16}, + }, + { + AddressPrefix: "172.16.0.0", + PrefixLen: &wrapperspb.UInt32Value{Value: 12}, + }, + }, + }, + }, + } + for _, tt := range cases { + t.Run(tt.name, func(t *testing.T) { + push.Networks = tt.networks + lb := &ListenerBuilder{ + push: push, + node: sidecarProxy, + authzCustomBuilder: &authz.Builder{}, + authzBuilder: &authz.Builder{}, + } + httpConnManager := lb.buildHTTPConnectionManager(&httpListenerOpts{useRemoteAddress: true}) + if !reflect.DeepEqual(tt.expectedconfig, httpConnManager.InternalAddressConfig) { + t.Errorf("unexpected internal address config, expected: %v, got :%v", tt.expectedconfig, httpConnManager.InternalAddressConfig) + } + }) + } +} + func TestAdditionalAddressesForIPv6(t *testing.T) { test.SetForTest(t, &features.EnableAdditionalIpv4OutboundListenerForIpv6Only, true) cg := NewConfigGenTest(t, TestOptions{Services: testServices}) diff --git a/pkg/bootstrap/instance_test.go b/pkg/bootstrap/instance_test.go index 5488316cc8bb..5094470df40b 100644 --- a/pkg/bootstrap/instance_test.go +++ b/pkg/bootstrap/instance_test.go @@ -108,6 +108,9 @@ func TestGolden(t *testing.T) { { base: "default", }, + { + base: "explicit_internal_address", + }, { base: "legacy_stats_tags_regex", envVars: map[string]string{ diff --git a/pkg/bootstrap/testdata/explicit_internal_address.proxycfg b/pkg/bootstrap/testdata/explicit_internal_address.proxycfg new file mode 100644 index 000000000000..f8f7a21a59c4 --- /dev/null +++ b/pkg/bootstrap/testdata/explicit_internal_address.proxycfg @@ -0,0 +1,12 @@ +config_path: "/etc/istio/proxy" +binary_path: "/usr/local/bin/envoy" +service_cluster: "istio-proxy" +drain_duration: {seconds: 2} +discovery_address: "istio-pilot:15010" +proxy_admin_port: 15000 +control_plane_auth_policy: NONE +runtime_values: [{ key: "envoy.reloadable_features.explicit_internal_address_config" value: "true" }] + +# +# This matches the default configuration hardcoded in model.DefaultProxyConfig +# Flags may override this configuration, as specified by the injector configs. diff --git a/pkg/bootstrap/testdata/explicit_internal_address_golden.json b/pkg/bootstrap/testdata/explicit_internal_address_golden.json new file mode 100644 index 000000000000..b3a34590d7f1 --- /dev/null +++ b/pkg/bootstrap/testdata/explicit_internal_address_golden.json @@ -0,0 +1,433 @@ +{ + "application_log_config": { + "log_format": { + "text_format": "%Y-%m-%dT%T.%fZ\t%l\tenvoy %n %g:%#\t%v\tthread=%t" + } + }, + "node": { + "id": "sidecar~1.2.3.4~foo~bar", + "cluster": "istio-proxy", + "locality": { + }, + "metadata": {"ENVOY_PROMETHEUS_PORT":15090,"ENVOY_STATUS_PORT":15021,"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","ISTIO_VERSION":"binary-1.0","OUTLIER_LOG_PATH":"/dev/stdout","PILOT_SAN":["spiffe://cluster.local/ns/istio-system/sa/istio-pilot-service-account"],"PROXY_CONFIG":{"binaryPath":"/usr/local/bin/envoy","configPath":"/tmp/bootstrap/explicit_internal_address","customConfigFile":"envoy_bootstrap.json","discoveryAddress":"istio-pilot:15010","drainDuration":"2s","proxyAdminPort":15000,"runtimeValues":{"envoy.reloadable_features.explicit_internal_address_config":"true"},"serviceCluster":"istio-proxy","statusPort":15020}} + }, + "layered_runtime": { + "layers": [ + { + "name": "global config", + "static_layer": {"envoy.deprecated_features:envoy.config.listener.v3.Listener.hidden_envoy_deprecated_use_original_dst":true,"envoy.reloadable_features.explicit_internal_address_config":true,"envoy.reloadable_features.http_reject_path_with_fragment":false,"overload.global_downstream_max_connections":"2147483647","re2.max_program_size.error_level":"32768"} + }, + { + "name": "admin", + "admin_layer": {} + } + ] + }, + "bootstrap_extensions": [ + { + "name": "envoy.bootstrap.internal_listener", + "typed_config": { + "@type":"type.googleapis.com/udpa.type.v1.TypedStruct", + "type_url": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener", + "value": { + "buffer_size_kb": 64 + } + } + } + ], + "stats_config": { + "use_all_default_tags": false, + "stats_tags": [ + { + "tag_name": "cluster_name", + "regex": "^cluster(\\.(.+);)" + }, + { + "tag_name": "http_conn_manager_prefix", + "regex": "^http\\.(((?:[_.[:digit:]\\w]*|[_\\[\\]aAbBcCdDeEfF[:digit:]\\w\\:]*));\\.)" + }, + { + "tag_name": "tcp_prefix", + "regex": "^tcp\\.((.*?)\\.)\\w+?$" + }, + { + "regex": "_rq(_(\\d{3}))$", + "tag_name": "response_code" + }, + { + "tag_name": "response_code_class", + "regex": "_rq(_(\\dxx))$" + }, + { + "tag_name": "http_conn_manager_listener_prefix", + "regex": "^listener(?=\\.).*?\\.http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "listener_address", + "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "mongo_prefix", + "regex": "^mongo\\.(.+?)\\.(collection|cmd|cx_|op_|delays_|decoding_)(.*?)$" + }, + { + "regex": "(cache\\.(.+?)\\.)", + "tag_name": "cache" + }, + { + "regex": "(component\\.(.+?)\\.)", + "tag_name": "component" + }, + { + "regex": "(tag\\.(.+?);\\.)", + "tag_name": "tag" + }, + { + "regex": "(wasm_filter\\.(.+?)\\.)", + "tag_name": "wasm_filter" + }, + { + "tag_name": "authz_enforce_result", + "regex": "rbac(\\.(allowed|denied))" + }, + { + "tag_name": "authz_dry_run_action", + "regex": "(\\.istio_dry_run_(allow|deny)_)" + }, + { + "tag_name": "authz_dry_run_result", + "regex": "(\\.shadow_(allowed|denied))" + } + ], + "stats_matcher": { + "inclusion_list": { + "patterns": [ + { + "prefix": "reporter=" + }, + { + "prefix": "cluster_manager" + }, + { + "prefix": "listener_manager" + }, + { + "prefix": "server" + }, + { + "prefix": "cluster.xds-grpc" + }, + { + "prefix": "wasm" + }, + { + "suffix": "rbac.allowed" + }, + { + "suffix": "rbac.denied" + }, + { + "suffix": "shadow_allowed" + }, + { + "suffix": "shadow_denied" + }, + { + "safe_regex": {"regex":"vhost\\..*\\.route\\..*"} + }, + { + "prefix": "component" + }, + { + "prefix": "istio" + } + ] + } + } + }, + "admin": { + "access_log": [ + { + "name": "envoy.access_loggers.file", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog", + "path": "/dev/null" + } + } + ], + "profile_path": "/var/lib/istio/data/envoy.prof", + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 15000 + } + } + }, + "dynamic_resources": { + "lds_config": { + "ads": {}, + "initial_fetch_timeout": "0s", + "resource_api_version": "V3" + }, + "cds_config": { + "ads": {}, + "initial_fetch_timeout": "0s", + "resource_api_version": "V3" + }, + "ads_config": { + "api_type": "DELTA_GRPC", + "set_node_on_first_message_only": true, + "transport_api_version": "V3", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "xds-grpc" + } + } + ] + } + }, + "static_resources": { + "clusters": [ + { + "name": "prometheus_stats", + "alt_stat_name": "prometheus_stats;", + "type": "STATIC", + "connect_timeout": "0.250s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "prometheus_stats", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "socket_address": { + "protocol": "TCP", + "address": "127.0.0.1", + "port_value": 15000 + } + } + } + }] + }] + } + }, + { + "name": "agent", + "alt_stat_name": "agent;", + "type": "STATIC", + "connect_timeout": "0.250s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "agent", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "socket_address": { + "protocol": "TCP", + "address": "127.0.0.1", + "port_value": 15020 + } + } + } + }] + }] + } + }, + { + "name": "sds-grpc", + "alt_stat_name": "sds-grpc;", + "type": "STATIC", + "typed_extension_protocol_options": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "explicit_http_config": { + "http2_protocol_options": {} + } + } + }, + "connect_timeout": "1s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "sds-grpc", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "pipe": { + "path": "./var/run/secrets/workload-spiffe-uds/socket" + } + } + } + }] + }] + } + }, + { + "name": "xds-grpc", + "alt_stat_name": "xds-grpc;", + "type" : "STATIC", + "connect_timeout": "1s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "xds-grpc", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "pipe": { + "path": "/tmp/XDS" + } + } + } + }] + }] + }, + "circuit_breakers": { + "thresholds": [ + { + "priority": "DEFAULT", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + }, + { + "priority": "HIGH", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + } + ] + }, + "upstream_connection_options": { + "tcp_keepalive": { + "keepalive_time": 300 + } + }, + "max_requests_per_connection": 1, + "typed_extension_protocol_options": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "explicit_http_config": { + "http2_protocol_options": {} + } + } + } + } + + + ], + "listeners":[ + { + "address": { + "socket_address": { + "protocol": "TCP", + "address": "0.0.0.0", + + "port_value": 15090 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "codec_type": "AUTO", + "stat_prefix": "stats", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/stats/prometheus" + }, + "route": { + "cluster": "prometheus_stats" + } + } + ] + } + ] + }, + "http_filters": [ + { + "name": "envoy.filters.http.router", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + }] + } + } + ] + } + ] + }, + { + "address": { + "socket_address": { + "protocol": "TCP", + "address": "0.0.0.0", + "port_value": 15021 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "codec_type": "AUTO", + "stat_prefix": "agent", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/healthz/ready" + }, + "route": { + "cluster": "agent" + } + } + ] + } + ] + }, + "http_filters": [{ + "name": "envoy.filters.http.router", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + }] + } + } + ] + } + ] + } + ] + } + + + , + "cluster_manager": { + "outlier_detection": { + "event_log_path": "/dev/stdout" + } + } + +}