From da0b3f29e9f9eef387691bdf5870a6d665c704c9 Mon Sep 17 00:00:00 2001 From: "Jackie Maertens (Elliott)" <64559656+jaellio@users.noreply.github.com> Date: Tue, 17 Sep 2024 12:00:16 -0700 Subject: [PATCH] [release-1.23] Update proxy repo SHA for release-1.23.2 (#139) * [release-1.23] Update proxy repo SHA for release-1.23.2 Signed-off-by: Jackie Elliott * Explicitly set internal addresses in Http Connection Manager when PILOT_SIDECAR_USE_REMOTE_ADDRESS is set to true for the sidecar. Signed-off-by: Jackie Elliott * Add unit test for setting runtimeValues in envoy config Signed-off-by: Jackie Elliott * Update SHA Signed-off-by: Jackie Elliott * Make gen on explicit internal address golden Signed-off-by: Jackie Elliott * Fix SHA Signed-off-by: Jackie Elliott * Use httpOpts instead of features useRemoteAddress to ensure it is only set for outbound sidecars Signed-off-by: Jackie Elliott --------- Signed-off-by: Jackie Elliott --- istio.deps | 2 +- pilot/pkg/networking/core/listener_builder.go | 5 +- .../networking/core/listener_builder_test.go | 69 +++ pkg/bootstrap/instance_test.go | 3 + .../explicit_internal_address.proxycfg | 12 + .../explicit_internal_address_golden.json | 433 ++++++++++++++++++ 6 files changed, 522 insertions(+), 2 deletions(-) create mode 100644 pkg/bootstrap/testdata/explicit_internal_address.proxycfg create mode 100644 pkg/bootstrap/testdata/explicit_internal_address_golden.json diff --git a/istio.deps b/istio.deps index 29b0a0489380..71f20d16bab2 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "94ed360d6e7afb84546716e194b4c2fcc601e651" + "lastStableSHA": "6c72b2179f5a58988b920a55b0be8346de3f7b35" }, { "_comment": "", diff --git a/pilot/pkg/networking/core/listener_builder.go b/pilot/pkg/networking/core/listener_builder.go index 33735da106b3..4176eca04279 100644 --- a/pilot/pkg/networking/core/listener_builder.go +++ b/pilot/pkg/networking/core/listener_builder.go @@ -421,7 +421,10 @@ func (lb *ListenerBuilder) buildHTTPConnectionManager(httpOpts *httpListenerOpts connectionManager.HttpFilters = filters connectionManager.RequestIdExtension = requestidextension.BuildUUIDRequestIDExtension(reqIDExtensionCtx) - if features.EnableHCMInternalNetworks && lb.push.Networks != nil { + // If UseRemoteAddress is set, we must set the internal address config in preparation for envoy + // internal addresses defaulting to empty set. Currently, the internal addresses defaulted to + // all private IPs but this will change in the future. + if (features.EnableHCMInternalNetworks || httpOpts.useRemoteAddress) && lb.push.Networks != nil { for _, internalnetwork := range lb.push.Networks.Networks { iac := &hcm.HttpConnectionManager_InternalAddressConfig{} for _, ne := range internalnetwork.Endpoints { diff --git a/pilot/pkg/networking/core/listener_builder_test.go b/pilot/pkg/networking/core/listener_builder_test.go index 06f98da5b921..b5b58ad40413 100644 --- a/pilot/pkg/networking/core/listener_builder_test.go +++ b/pilot/pkg/networking/core/listener_builder_test.go @@ -844,6 +844,75 @@ func TestHCMInternalAddressConfig(t *testing.T) { } } +func TestUseRemoteAddressInternalAddressConfig(t *testing.T) { + cg := NewConfigGenTest(t, TestOptions{}) + sidecarProxy := cg.SetupProxy(&model.Proxy{ConfigNamespace: "not-default"}) + push := cg.PushContext() + cases := []struct { + name string + networks *meshconfig.MeshNetworks + expectedconfig *hcm.HttpConnectionManager_InternalAddressConfig + }{ + { + name: "nil networks", + expectedconfig: nil, + }, + { + name: "empty networks", + networks: &meshconfig.MeshNetworks{}, + expectedconfig: nil, + }, + { + name: "networks populated", + networks: &meshconfig.MeshNetworks{ + Networks: map[string]*meshconfig.Network{ + "default": { + Endpoints: []*meshconfig.Network_NetworkEndpoints{ + { + Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{ + FromCidr: "192.168.0.0/16", + }, + }, + { + Ne: &meshconfig.Network_NetworkEndpoints_FromCidr{ + FromCidr: "172.16.0.0/12", + }, + }, + }, + }, + }, + }, + expectedconfig: &hcm.HttpConnectionManager_InternalAddressConfig{ + CidrRanges: []*core.CidrRange{ + { + AddressPrefix: "192.168.0.0", + PrefixLen: &wrapperspb.UInt32Value{Value: 16}, + }, + { + AddressPrefix: "172.16.0.0", + PrefixLen: &wrapperspb.UInt32Value{Value: 12}, + }, + }, + }, + }, + } + for _, tt := range cases { + t.Run(tt.name, func(t *testing.T) { + push.Networks = tt.networks + lb := &ListenerBuilder{ + push: push, + node: sidecarProxy, + authzCustomBuilder: &authz.Builder{}, + authzBuilder: &authz.Builder{}, + } + httpConnManager := lb.buildHTTPConnectionManager(&httpListenerOpts{useRemoteAddress: true}) + if !reflect.DeepEqual(tt.expectedconfig, httpConnManager.InternalAddressConfig) { + t.Errorf("unexpected internal address config, expected: %v, got :%v", tt.expectedconfig, httpConnManager.InternalAddressConfig) + } + }) + } +} + func TestAdditionalAddressesForIPv6(t *testing.T) { test.SetForTest(t, &features.EnableAdditionalIpv4OutboundListenerForIpv6Only, true) cg := NewConfigGenTest(t, TestOptions{Services: testServices}) diff --git a/pkg/bootstrap/instance_test.go b/pkg/bootstrap/instance_test.go index 5488316cc8bb..5094470df40b 100644 --- a/pkg/bootstrap/instance_test.go +++ b/pkg/bootstrap/instance_test.go @@ -108,6 +108,9 @@ func TestGolden(t *testing.T) { { base: "default", }, + { + base: "explicit_internal_address", + }, { base: "legacy_stats_tags_regex", envVars: map[string]string{ diff --git a/pkg/bootstrap/testdata/explicit_internal_address.proxycfg b/pkg/bootstrap/testdata/explicit_internal_address.proxycfg new file mode 100644 index 000000000000..f8f7a21a59c4 --- /dev/null +++ b/pkg/bootstrap/testdata/explicit_internal_address.proxycfg @@ -0,0 +1,12 @@ +config_path: "/etc/istio/proxy" +binary_path: "/usr/local/bin/envoy" +service_cluster: "istio-proxy" +drain_duration: {seconds: 2} +discovery_address: "istio-pilot:15010" +proxy_admin_port: 15000 +control_plane_auth_policy: NONE +runtime_values: [{ key: "envoy.reloadable_features.explicit_internal_address_config" value: "true" }] + +# +# This matches the default configuration hardcoded in model.DefaultProxyConfig +# Flags may override this configuration, as specified by the injector configs. diff --git a/pkg/bootstrap/testdata/explicit_internal_address_golden.json b/pkg/bootstrap/testdata/explicit_internal_address_golden.json new file mode 100644 index 000000000000..b3a34590d7f1 --- /dev/null +++ b/pkg/bootstrap/testdata/explicit_internal_address_golden.json @@ -0,0 +1,433 @@ +{ + "application_log_config": { + "log_format": { + "text_format": "%Y-%m-%dT%T.%fZ\t%l\tenvoy %n %g:%#\t%v\tthread=%t" + } + }, + "node": { + "id": "sidecar~1.2.3.4~foo~bar", + "cluster": "istio-proxy", + "locality": { + }, + "metadata": {"ENVOY_PROMETHEUS_PORT":15090,"ENVOY_STATUS_PORT":15021,"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","ISTIO_VERSION":"binary-1.0","OUTLIER_LOG_PATH":"/dev/stdout","PILOT_SAN":["spiffe://cluster.local/ns/istio-system/sa/istio-pilot-service-account"],"PROXY_CONFIG":{"binaryPath":"/usr/local/bin/envoy","configPath":"/tmp/bootstrap/explicit_internal_address","customConfigFile":"envoy_bootstrap.json","discoveryAddress":"istio-pilot:15010","drainDuration":"2s","proxyAdminPort":15000,"runtimeValues":{"envoy.reloadable_features.explicit_internal_address_config":"true"},"serviceCluster":"istio-proxy","statusPort":15020}} + }, + "layered_runtime": { + "layers": [ + { + "name": "global config", + "static_layer": {"envoy.deprecated_features:envoy.config.listener.v3.Listener.hidden_envoy_deprecated_use_original_dst":true,"envoy.reloadable_features.explicit_internal_address_config":true,"envoy.reloadable_features.http_reject_path_with_fragment":false,"overload.global_downstream_max_connections":"2147483647","re2.max_program_size.error_level":"32768"} + }, + { + "name": "admin", + "admin_layer": {} + } + ] + }, + "bootstrap_extensions": [ + { + "name": "envoy.bootstrap.internal_listener", + "typed_config": { + "@type":"type.googleapis.com/udpa.type.v1.TypedStruct", + "type_url": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener", + "value": { + "buffer_size_kb": 64 + } + } + } + ], + "stats_config": { + "use_all_default_tags": false, + "stats_tags": [ + { + "tag_name": "cluster_name", + "regex": "^cluster(\\.(.+);)" + }, + { + "tag_name": "http_conn_manager_prefix", + "regex": "^http\\.(((?:[_.[:digit:]\\w]*|[_\\[\\]aAbBcCdDeEfF[:digit:]\\w\\:]*));\\.)" + }, + { + "tag_name": "tcp_prefix", + "regex": "^tcp\\.((.*?)\\.)\\w+?$" + }, + { + "regex": "_rq(_(\\d{3}))$", + "tag_name": "response_code" + }, + { + "tag_name": "response_code_class", + "regex": "_rq(_(\\dxx))$" + }, + { + "tag_name": "http_conn_manager_listener_prefix", + "regex": "^listener(?=\\.).*?\\.http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "listener_address", + "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "mongo_prefix", + "regex": "^mongo\\.(.+?)\\.(collection|cmd|cx_|op_|delays_|decoding_)(.*?)$" + }, + { + "regex": "(cache\\.(.+?)\\.)", + "tag_name": "cache" + }, + { + "regex": "(component\\.(.+?)\\.)", + "tag_name": "component" + }, + { + "regex": "(tag\\.(.+?);\\.)", + "tag_name": "tag" + }, + { + "regex": "(wasm_filter\\.(.+?)\\.)", + "tag_name": "wasm_filter" + }, + { + "tag_name": "authz_enforce_result", + "regex": "rbac(\\.(allowed|denied))" + }, + { + "tag_name": "authz_dry_run_action", + "regex": "(\\.istio_dry_run_(allow|deny)_)" + }, + { + "tag_name": "authz_dry_run_result", + "regex": "(\\.shadow_(allowed|denied))" + } + ], + "stats_matcher": { + "inclusion_list": { + "patterns": [ + { + "prefix": "reporter=" + }, + { + "prefix": "cluster_manager" + }, + { + "prefix": "listener_manager" + }, + { + "prefix": "server" + }, + { + "prefix": "cluster.xds-grpc" + }, + { + "prefix": "wasm" + }, + { + "suffix": "rbac.allowed" + }, + { + "suffix": "rbac.denied" + }, + { + "suffix": "shadow_allowed" + }, + { + "suffix": "shadow_denied" + }, + { + "safe_regex": {"regex":"vhost\\..*\\.route\\..*"} + }, + { + "prefix": "component" + }, + { + "prefix": "istio" + } + ] + } + } + }, + "admin": { + "access_log": [ + { + "name": "envoy.access_loggers.file", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog", + "path": "/dev/null" + } + } + ], + "profile_path": "/var/lib/istio/data/envoy.prof", + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 15000 + } + } + }, + "dynamic_resources": { + "lds_config": { + "ads": {}, + "initial_fetch_timeout": "0s", + "resource_api_version": "V3" + }, + "cds_config": { + "ads": {}, + "initial_fetch_timeout": "0s", + "resource_api_version": "V3" + }, + "ads_config": { + "api_type": "DELTA_GRPC", + "set_node_on_first_message_only": true, + "transport_api_version": "V3", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "xds-grpc" + } + } + ] + } + }, + "static_resources": { + "clusters": [ + { + "name": "prometheus_stats", + "alt_stat_name": "prometheus_stats;", + "type": "STATIC", + "connect_timeout": "0.250s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "prometheus_stats", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "socket_address": { + "protocol": "TCP", + "address": "127.0.0.1", + "port_value": 15000 + } + } + } + }] + }] + } + }, + { + "name": "agent", + "alt_stat_name": "agent;", + "type": "STATIC", + "connect_timeout": "0.250s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "agent", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "socket_address": { + "protocol": "TCP", + "address": "127.0.0.1", + "port_value": 15020 + } + } + } + }] + }] + } + }, + { + "name": "sds-grpc", + "alt_stat_name": "sds-grpc;", + "type": "STATIC", + "typed_extension_protocol_options": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "explicit_http_config": { + "http2_protocol_options": {} + } + } + }, + "connect_timeout": "1s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "sds-grpc", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "pipe": { + "path": "./var/run/secrets/workload-spiffe-uds/socket" + } + } + } + }] + }] + } + }, + { + "name": "xds-grpc", + "alt_stat_name": "xds-grpc;", + "type" : "STATIC", + "connect_timeout": "1s", + "lb_policy": "ROUND_ROBIN", + "load_assignment": { + "cluster_name": "xds-grpc", + "endpoints": [{ + "lb_endpoints": [{ + "endpoint": { + "address":{ + "pipe": { + "path": "/tmp/XDS" + } + } + } + }] + }] + }, + "circuit_breakers": { + "thresholds": [ + { + "priority": "DEFAULT", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + }, + { + "priority": "HIGH", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + } + ] + }, + "upstream_connection_options": { + "tcp_keepalive": { + "keepalive_time": 300 + } + }, + "max_requests_per_connection": 1, + "typed_extension_protocol_options": { + "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", + "explicit_http_config": { + "http2_protocol_options": {} + } + } + } + } + + + ], + "listeners":[ + { + "address": { + "socket_address": { + "protocol": "TCP", + "address": "0.0.0.0", + + "port_value": 15090 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "codec_type": "AUTO", + "stat_prefix": "stats", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/stats/prometheus" + }, + "route": { + "cluster": "prometheus_stats" + } + } + ] + } + ] + }, + "http_filters": [ + { + "name": "envoy.filters.http.router", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + }] + } + } + ] + } + ] + }, + { + "address": { + "socket_address": { + "protocol": "TCP", + "address": "0.0.0.0", + "port_value": 15021 + } + }, + "filter_chains": [ + { + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", + "codec_type": "AUTO", + "stat_prefix": "agent", + "route_config": { + "virtual_hosts": [ + { + "name": "backend", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/healthz/ready" + }, + "route": { + "cluster": "agent" + } + } + ] + } + ] + }, + "http_filters": [{ + "name": "envoy.filters.http.router", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" + } + }] + } + } + ] + } + ] + } + ] + } + + + , + "cluster_manager": { + "outlier_detection": { + "event_log_path": "/dev/stdout" + } + } + +}