Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ServiceEntry support #10870

Merged
merged 28 commits into from
Mar 25, 2025
Merged

ServiceEntry support #10870

merged 28 commits into from
Mar 25, 2025

Conversation

stevenctl
Copy link
Contributor

@stevenctl stevenctl commented Mar 18, 2025
edited
Loading

Description

  • Generate Backends and Endpoints (CDS and EDS)
  • Waypoint capture
  • BackendRef to ServiceEntry kind
  • BackendRef to Hostname kind
  • HTTPRoute ParentRef to ServiceEntry kind
  • HTTPRoute ParentRef to Hostname kind

API changes

  • backendRef, for both Gateway and Waypoint, can point at networking.istio.io/Hostname using the ServiceEntry hostname to point at a ServiceEntry in any namespace as the backend.
  • parentRef, only for Waypoint, can use networking.istio.io/Hostname to attach policy a Service or ServiceEntry

Code changes

  • Add ServiceEntry to common collections as it's used across serviceentry CDS/EDS code and Waypoint translation code for attachment purposes.
  • Add a serviceentry plugin that provides Backends, Endpoints and a backendRef resolver
  • Make a few functions used by the k8s plugin re-usable

Context

#10841

Testing steps

  1. Deploy kgateway
  2. Install Istio
  3. Deploy a gateway
  4. Create a ServiceEntry and a backing pod (or do DNS egress)
  5. Create an HTTPRoute that points to the SE (either via name/ns or hostname)
  6. Send traffic

Unit/in-memory tests:

  • Unit tests at the setup_test level that ensure EDS/CDS looks right for various configs (DNS, EDS, STATIC inline)
  • Unit tests at the waypoint_translator level that ensures policy attachment and waypoint attachment works (hostname, vs name/ns references, namespace vs direct attachment)

E2E tests:

  • Send traffic via ingres to SE
  • Send traffic via Waypoint to SE (this should be a matrix of policies x destination types)
  • Test DNS SE (need to figure out how to do so safely, probably just send to a kube svc hostname using DNS resolution) ; do this with both ingress and Waypoint

Notes for reviewers

  • Improving the handling of multiple hostnames, with regards to HTTPRoute attachment, and DR attachment, should be handled in a follow up.
  • Allowing DR to apply to inline endpoints for non-EDS ServiceEntry should be done in a follow up.

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

@stevenctl stevenctl changed the title wip: ServiceEntry support ServiceEntry support Mar 20, 2025
@lgadban lgadban linked an issue Mar 20, 2025 that may be closed by this pull request
[waypoint] [kgateway] Support ServiceEntry backends and Waypoint capture #10841
Closed
@stevenctl
Copy link
Contributor Author

stevenctl commented Mar 21, 2025
edited
Loading

Closing connection 0 curl: (28) Resolving timed out after 3000 milliseconds command terminated with exit code 28

the issue was I didn't put addresses in the spec, the VIPs. 1.25 has the feature to write auto-allocated addresses to status turned on by default. This doesn't matter for Istio impls, because Istio impls have these auto-allocated addresses in-memory in istiod. It matters for us, because we need to get that info from istiod somehow.

We must document somewhere that the status.addresses functionality must be enabled OR users must manually write addresses in their ServiceEntry spec.

https://istio.io/latest/news/releases/1.23.x/announcing-1.23/#dns-auto-allocation-improvements

@stevenctl stevenctl requested a review from shashankram March 21, 2025 16:41
lgadban
lgadban reviewed Mar 24, 2025
View reviewed changes
Copy link
Contributor

@lgadban lgadban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mostly LGTM, just a few comments/questions

internal/kgateway/extensions2/common/collections.go
Settings: settings,
Namespaces: namespaces,
Services: services,
ServiceEntries: serviceEntries,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not suggesting to change this but more for my own understanding, do we actually need ServiceEntries here as part of the CommonCollections? i.e. will anything outside of the SE plugin need this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The waypoint is already reading them. The alternative is to create a "logical service" that merges over Service and ServiceEntry for waypoint to utilize.

If we don't put this here, we still end up sharing informers but run the collection logic twice for waypoint (attachment to SE) and service entry (CDS/EDS)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do i need to add authorizationpolicies in collection here. My proto code works without it, but i might be missing something? Please let me know!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authz can live in the waypointqueries initialization until we make it apply to non-waypoints. No time to get that in for 2.0.0 release though.

@shashankram
Copy link
Contributor

Approved, but will defer to @lgadban /others for final approval

@stevenctl stevenctl added this pull request to the merge queue Mar 24, 2025
@stevenctl
Copy link
Contributor Author

spoke with @lgadban offline, can address anything else in follow ups.

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 24, 2025
@lgadban lgadban added this pull request to the merge queue Mar 24, 2025
lgadban
lgadban approved these changes Mar 24, 2025
View reviewed changes
Copy link
Contributor

@lgadban lgadban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 24, 2025
@stevenctl stevenctl added this pull request to the merge queue Mar 25, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 25, 2025
@lgadban lgadban added this pull request to the merge queue Mar 25, 2025
Merged via the queue into main with commit dadcdee Mar 25, 2025
14 checks passed
@lgadban lgadban deleted the stevenctl/serviceentry-init branch March 25, 2025 01:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lgadban lgadban lgadban approved these changes

@shashankram shashankram shashankram approved these changes

@timflannagan timflannagan Awaiting requested review from timflannagan

@PetrMc PetrMc Awaiting requested review from PetrMc

Assignees

@stevenctl stevenctl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[waypoint] [kgateway] Support ServiceEntry backends and Waypoint capture
4 participants
@stevenctl @shashankram @lgadban @PetrMc