diff --git a/helm/core/templates/configmap.yaml b/helm/core/templates/configmap.yaml index 156cf87fe..6a2117754 100644 --- a/helm/core/templates/configmap.yaml +++ b/helm/core/templates/configmap.yaml @@ -3,7 +3,11 @@ # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain trustDomain: "cluster.local" accessLogEncoding: TEXT + {{- if .Values.global.o11y.enabled }} + accessLogFile: "/var/log/proxy/access.log" + {{- else }} accessLogFile: "/dev/stdout" + {{- end }} ingressControllerMode: "OFF" accessLogFormat: '{"authority":"%REQ(X-ENVOY-ORIGINAL-HOST?:AUTHORITY)%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","downstream_local_address":"%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address":"%DOWNSTREAM_REMOTE_ADDRESS%","duration":"%DURATION%","istio_policy_status":"%DYNAMIC_METADATA(istio.mixer:status)%","method":"%REQ(:METHOD)%","path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol":"%PROTOCOL%","request_id":"%REQ(X-REQUEST-ID)%","requested_server_name":"%REQUESTED_SERVER_NAME%","response_code":"%RESPONSE_CODE%","response_flags":"%RESPONSE_FLAGS%","route_name":"%ROUTE_NAME%","start_time":"%START_TIME%","trace_id":"%REQ(X-B3-TRACEID)%","upstream_cluster":"%UPSTREAM_CLUSTER%","upstream_host":"%UPSTREAM_HOST%","upstream_local_address":"%UPSTREAM_LOCAL_ADDRESS%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_transport_failure_reason":"%UPSTREAM_TRANSPORT_FAILURE_REASON%","user_agent":"%REQ(USER-AGENT)%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%"} diff --git a/helm/core/templates/controller-deployment.yaml b/helm/core/templates/controller-deployment.yaml index 785549f5a..762892c2a 100644 --- a/helm/core/templates/controller-deployment.yaml +++ b/helm/core/templates/controller-deployment.yaml @@ -70,6 +70,8 @@ spec: periodSeconds: 3 timeoutSeconds: 5 env: + - name: PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS + value: "false" - name: HIGRESS_SYSTEM_NS value: "{{ .Release.Namespace }}" - name: DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD diff --git a/helm/core/templates/deployment.yaml b/helm/core/templates/deployment.yaml index 7fbaf41d2..cf6f5cbf2 100644 --- a/helm/core/templates/deployment.yaml +++ b/helm/core/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- $o11y := .Values.global.o11y }} {{- $unprivilegedPortSupported := true }} {{- range $index, $node := (lookup "v1" "Node" "default" "").items }} {{- $kernelVersion := $node.status.nodeInfo.kernelVersion }} @@ -67,6 +68,40 @@ spec: value: "0" {{- end }} containers: + {{- if $o11y.enabled }} + {{- $config := $o11y.promtail }} + - name: promtail + image: {{ $config.image.repository }}:{{ $config.image.tag }} + imagePullPolicy: IfNotPresent + args: + - -config.file=/etc/promtail/promtail.yaml + env: + - name: 'HOSTNAME' + valueFrom: + fieldRef: + fieldPath: 'spec.nodeName' + ports: + - containerPort: {{ $config.port }} + name: http-metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: {{ $config.port }} + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: promtail-config + mountPath: "/etc/promtail" + - name: log + mountPath: /var/log/proxy + - name: tmp + mountPath: /tmp + {{- end }} - name: higress-gateway image: "{{ .Values.gateway.hub | default .Values.global.hub }}/{{ .Values.gateway.image | default "gateway" }}:{{ .Values.gateway.tag | default .Chart.AppVersion }}" args: @@ -88,7 +123,10 @@ spec: - ALL allowPrivilegeEscalation: false privileged: false + # When enabling lite metrics, the configuration template files need to be replaced. + {{- if not .Values.global.liteMetrics }} readOnlyRootFilesystem: true + {{- end }} runAsUser: 1337 runAsGroup: 1337 runAsNonRoot: true @@ -102,7 +140,6 @@ spec: runAsGroup: 1337 runAsNonRoot: false allowPrivilegeEscalation: true - readOnlyRootFilesystem: true {{- end }} env: - name: NODE_NAME @@ -148,6 +185,10 @@ spec: value: "{{ $.Values.clusterName | default `Kubernetes` }}" - name: INSTANCE_NAME value: "higress-gateway" + {{- if .Values.global.liteMetrics }} + - name: LITE_METRICS + value: "on" + {{- end }} {{- if include "skywalking.enabled" . }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: /etc/istio/custom-bootstrap/custom_bootstrap.json @@ -212,6 +253,10 @@ spec: - mountPath: /opt/plugins name: local-wasmplugins-volume {{- end }} + {{- if $o11y.enabled }} + - mountPath: /var/log/proxy + name: log + {{- end }} {{- if .Values.gateway.hostNetwork }} hostNetwork: {{ .Values.gateway.hostNetwork }} dnsPolicy: ClusterFirstWithHostNet @@ -258,6 +303,15 @@ spec: emptyDir: {} - name: proxy-socket emptyDir: {} + {{- if $o11y.enabled }} + - name: log + emptyDir: {} + - name: tmp + emptyDir: {} + - name: promtail-config + configMap: + name: higress-promtail + {{- end }} - name: podinfo downwardAPI: defaultMode: 420 diff --git a/helm/core/templates/promtail.yaml b/helm/core/templates/promtail.yaml new file mode 100644 index 000000000..c72856a6e --- /dev/null +++ b/helm/core/templates/promtail.yaml @@ -0,0 +1,64 @@ +{{- $o11y := .Values.global.o11y }} +{{- if $o11y.enabled }} +{{- $config := $o11y.promtail }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: higress-promtail + namespace: {{ .Release.Namespace }} +data: + promtail.yaml: | + server: + log_level: info + http_listen_port: {{ $config.port }} + + clients: + - url: http://higress-console-loki.{{ .Release.Namespace }}:3100/loki/api/v1/push + + positions: + filename: /tmp/promtail-positions.yaml + target_config: + sync_period: 10s + scrape_configs: + - job_name: access-logs + static_configs: + - targets: + - localhost + labels: + __path__: /var/log/proxy/access.log + pipeline_stages: + - json: + expressions: + authority: + method: + path: + protocol: + request_id: + response_code: + response_flags: + route_name: + trace_id: + upstream_cluster: + upstream_host: + upstream_transport_failure_reason: + user_agent: + x_forwarded_for: + - labels: + authority: + method: + path: + protocol: + request_id: + response_code: + response_flags: + route_name: + trace_id: + upstream_cluster: + upstream_host: + upstream_transport_failure_reason: + user_agent: + x_forwarded_for: + - timestamp: + source: timestamp + format: RFC3339Nano +{{- end }} diff --git a/helm/core/values.yaml b/helm/core/values.yaml index ff2f5d81e..96e0d91b5 100644 --- a/helm/core/values.yaml +++ b/helm/core/values.yaml @@ -1,5 +1,6 @@ revision: "" global: + liteMetrics: false xdsMaxRecvMsgSize: "104857600" defaultUpstreamConcurrencyThreshold: 10000 enableSRDS: true @@ -337,6 +338,20 @@ global: # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. useMCP: false + # Observability (o11y) configurations + o11y: + enabled: false + promtail: + image: + repository: grafana/promtail + tag: 2.9.4 + port: 3101 + resources: + limits: + cpu: 500m + memory: 2Gi + securityContext: {} + # The name of the CA for workload certificates. # For example, when caName=GkeWorkloadCertificate, GKE workload certificates # will be used as the certificates for workloads. diff --git a/istio/1.12/patches/istio/20240519-proxy-start-script.patch b/istio/1.12/patches/istio/20240519-proxy-start-script.patch new file mode 100644 index 000000000..11a4e6b00 --- /dev/null +++ b/istio/1.12/patches/istio/20240519-proxy-start-script.patch @@ -0,0 +1,752 @@ +diff -Naur istio/pilot/docker/Dockerfile.proxyv2 istio-new/pilot/docker/Dockerfile.proxyv2 +--- istio/pilot/docker/Dockerfile.proxyv2 2024-05-19 16:40:42.706769894 +0800 ++++ istio-new/pilot/docker/Dockerfile.proxyv2 2024-05-19 16:07:20.630730574 +0800 +@@ -28,6 +28,7 @@ + + # Copy Envoy bootstrap templates used by pilot-agent + COPY envoy_bootstrap.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json ++COPY envoy_bootstrap_lite.json /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json + COPY gcp_envoy_bootstrap.json /var/lib/istio/envoy/gcp_envoy_bootstrap_tmpl.json + + # Install Envoy. +@@ -47,5 +48,30 @@ + # COPY metadata-exchange-filter.wasm /etc/istio/extensions/metadata-exchange-filter.wasm + # COPY metadata-exchange-filter.compiled.wasm /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + ++RUN apt-get update && \ ++ apt-get install --no-install-recommends -y \ ++ logrotate \ ++ cron \ ++ && apt-get upgrade -y \ ++ && apt-get clean ++ ++# Latest releases available at https://github.com/aptible/supercronic/releases ++ENV SUPERCRONIC_URL=https://higress.io/release-binary/supercronic-linux-${TARGETARCH:-amd64} \ ++ SUPERCRONIC=supercronic-linux-${TARGETARCH:-amd64} ++ ++RUN curl -fsSLO "$SUPERCRONIC_URL" \ ++ && chmod +x "$SUPERCRONIC" \ ++ && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \ ++ && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic ++ ++ ++COPY higress-proxy-start.sh /usr/local/bin/higress-proxy-start.sh ++ ++COPY higress-proxy-container-init.sh /usr/local/bin/higress-proxy-container-init.sh ++ ++RUN chmod a+x /usr/local/bin/higress-proxy-container-init.sh;/usr/local/bin/higress-proxy-container-init.sh ++ ++RUN chmod a+x /usr/local/bin/higress-proxy-start.sh ++ + # The pilot-agent will bootstrap Envoy. +-ENTRYPOINT ["/usr/local/bin/pilot-agent"] ++ENTRYPOINT ["/usr/local/bin/higress-proxy-start.sh"] +diff -Naur istio/tools/istio-docker.mk istio-new/tools/istio-docker.mk +--- istio/tools/istio-docker.mk 2024-05-19 16:40:42.734769895 +0800 ++++ istio-new/tools/istio-docker.mk 2024-05-19 16:02:43.222725126 +0800 +@@ -96,6 +96,9 @@ + docker.proxyv2: BUILD_ARGS=--build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} --build-arg istio_version=${VERSION} --build-arg BASE_VERSION=${BASE_VERSION} --build-arg SIDECAR=${SIDECAR} --build-arg HUB=${HUB} + docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json + docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/gcp_envoy_bootstrap.json ++docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-start.sh ++docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-container-init.sh ++docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap_lite.json + docker.proxyv2: ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR} + docker.proxyv2: ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR} + docker.proxyv2: $(ISTIO_OUT_LINUX)/pilot-agent +diff -Naur istio/tools/packaging/common/envoy_bootstrap_lite.json istio-new/tools/packaging/common/envoy_bootstrap_lite.json +--- istio/tools/packaging/common/envoy_bootstrap_lite.json 1970-01-01 08:00:00.000000000 +0800 ++++ istio-new/tools/packaging/common/envoy_bootstrap_lite.json 2024-05-19 16:36:39.274765113 +0800 +@@ -0,0 +1,642 @@ ++{ ++ "node": { ++ "id": "{{ .nodeID }}", ++ "cluster": "{{ .cluster }}", ++ "locality": { ++ {{- if .region }} ++ "region": "{{ .region }}" ++ {{- end }} ++ {{- if .zone }} ++ {{- if .region }} ++ , ++ {{- end }} ++ "zone": "{{ .zone }}" ++ {{- end }} ++ {{- if .sub_zone }} ++ {{- if or .region .zone }} ++ , ++ {{- end }} ++ "sub_zone": "{{ .sub_zone }}" ++ {{- end }} ++ }, ++ "metadata": {{ .meta_json_str }} ++ }, ++ "layered_runtime": { ++ "layers": [ ++ { ++ "name": "global config", ++ "static_layer": {{ .runtime_flags }} ++ }, ++ { ++ "name": "admin", ++ "admin_layer": {} ++ } ++ ] ++ }, ++ "stats_config": { ++ "use_all_default_tags": false, ++ "stats_tags": [ ++ { ++ "tag_name": "response_code_class", ++ "regex": "_rq(_(\\dxx))$" ++ }, ++ { ++ "tag_name": "listener_address", ++ "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" ++ }, ++ { ++ "tag_name": "http_conn_manager_prefix", ++ "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)" ++ }, ++ { ++ "tag_name": "cluster_name", ++ "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)" ++ } ++ ], ++ "stats_matcher": { ++ "exclusion_list": { ++ "patterns": [ ++ { ++ "prefix": "vhost" ++ }, ++ { ++ "safe_regex": {"regex": "^http.*rds.*", "google_re2":{}} ++ } ++ ] ++ } ++ } ++ }, ++ "admin": { ++ "access_log_path": "/dev/null", ++ "profile_path": "/var/lib/istio/data/envoy.prof", ++ "address": { ++ "socket_address": { ++ "address": "{{ .localhost }}", ++ "port_value": {{ .config.ProxyAdminPort }} ++ } ++ } ++ }, ++ "dynamic_resources": { ++ "lds_config": { ++ "ads": {}, ++ "initial_fetch_timeout": "0s", ++ "resource_api_version": "V3" ++ }, ++ "cds_config": { ++ "ads": {}, ++ "initial_fetch_timeout": "0s", ++ "resource_api_version": "V3" ++ }, ++ "ads_config": { ++ "api_type": "{{ .xds_type }}", ++ "set_node_on_first_message_only": true, ++ "transport_api_version": "V3", ++ "grpc_services": [ ++ { ++ "envoy_grpc": { ++ "cluster_name": "xds-grpc" ++ } ++ } ++ ] ++ } ++ }, ++ "static_resources": { ++ "clusters": [ ++ { ++ "name": "prometheus_stats", ++ "type": "STATIC", ++ "connect_timeout": "0.250s", ++ "lb_policy": "ROUND_ROBIN", ++ "load_assignment": { ++ "cluster_name": "prometheus_stats", ++ "endpoints": [{ ++ "lb_endpoints": [{ ++ "endpoint": { ++ "address":{ ++ "socket_address": { ++ "protocol": "TCP", ++ "address": "{{ .localhost }}", ++ "port_value": {{ .config.ProxyAdminPort }} ++ } ++ } ++ } ++ }] ++ }] ++ } ++ }, ++ { ++ "name": "agent", ++ "type": "STATIC", ++ "connect_timeout": "0.250s", ++ "lb_policy": "ROUND_ROBIN", ++ "load_assignment": { ++ "cluster_name": "agent", ++ "endpoints": [{ ++ "lb_endpoints": [{ ++ "endpoint": { ++ "address":{ ++ "socket_address": { ++ "protocol": "TCP", ++ "address": "{{ .localhost }}", ++ "port_value": {{ .config.StatusPort }} ++ } ++ } ++ } ++ }] ++ }] ++ } ++ }, ++ { ++ "name": "sds-grpc", ++ "type": "STATIC", ++ "typed_extension_protocol_options": { ++ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { ++ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", ++ "explicit_http_config": { ++ "http2_protocol_options": {} ++ } ++ } ++ }, ++ "connect_timeout": "1s", ++ "lb_policy": "ROUND_ROBIN", ++ "load_assignment": { ++ "cluster_name": "sds-grpc", ++ "endpoints": [{ ++ "lb_endpoints": [{ ++ "endpoint": { ++ "address":{ ++ "pipe": { ++ "path": "{{ .config.ConfigPath }}/SDS" ++ } ++ } ++ } ++ }] ++ }] ++ } ++ }, ++ { ++ "name": "xds-grpc", ++ "type" : "STATIC", ++ "connect_timeout": "1s", ++ "lb_policy": "ROUND_ROBIN", ++ "load_assignment": { ++ "cluster_name": "xds-grpc", ++ "endpoints": [{ ++ "lb_endpoints": [{ ++ "endpoint": { ++ "address":{ ++ "pipe": { ++ "path": "{{ .config.ConfigPath }}/XDS" ++ } ++ } ++ } ++ }] ++ }] ++ }, ++ "circuit_breakers": { ++ "thresholds": [ ++ { ++ "priority": "DEFAULT", ++ "max_connections": 100000, ++ "max_pending_requests": 100000, ++ "max_requests": 100000 ++ }, ++ { ++ "priority": "HIGH", ++ "max_connections": 100000, ++ "max_pending_requests": 100000, ++ "max_requests": 100000 ++ } ++ ] ++ }, ++ "upstream_connection_options": { ++ "tcp_keepalive": { ++ "keepalive_time": 300 ++ } ++ }, ++ "max_requests_per_connection": 1, ++ "typed_extension_protocol_options": { ++ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { ++ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", ++ "explicit_http_config": { ++ "http2_protocol_options": {} ++ } ++ } ++ } ++ } ++ {{ if .zipkin }} ++ , ++ { ++ "name": "zipkin", ++ {{- if .tracing_tls }} ++ "transport_socket": {{ .tracing_tls }}, ++ {{- end }} ++ "type": "STRICT_DNS", ++ "respect_dns_ttl": true, ++ "dns_lookup_family": "{{ .dns_lookup_family }}", ++ "dns_refresh_rate": "30s", ++ "connect_timeout": "1s", ++ "lb_policy": "ROUND_ROBIN", ++ "load_assignment": { ++ "cluster_name": "zipkin", ++ "endpoints": [{ ++ "lb_endpoints": [{ ++ "endpoint": { ++ "address":{ ++ "socket_address": {{ .zipkin }} ++ } ++ } ++ }] ++ }] ++ } ++ } ++ {{ else if .lightstep }} ++ , ++ { ++ "name": "lightstep", ++ {{- if .tracing_tls }} ++ "transport_socket": {{ .tracing_tls }}, ++ {{- end }} ++ "typed_extension_protocol_options": { ++ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { ++ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", ++ "explicit_http_config": { ++ "http2_protocol_options": {} ++ } ++ } ++ }, ++ "type": "STRICT_DNS", ++ "respect_dns_ttl": true, ++ "dns_lookup_family": "{{ .dns_lookup_family }}", ++ "connect_timeout": "1s", ++ "lb_policy": "ROUND_ROBIN", ++ "load_assignment": { ++ "cluster_name": "lightstep", ++ "endpoints": [{ ++ "lb_endpoints": [{ ++ "endpoint": { ++ "address":{ ++ "socket_address": {{ .lightstep }} ++ } ++ } ++ }] ++ }] ++ } ++ } ++ {{ else if .datadog }} ++ , ++ { ++ "name": "datadog_agent", ++ {{- if .tracing_tls }} ++ "transport_socket": {{ .tracing_tls }}, ++ {{- end }} ++ "connect_timeout": "1s", ++ "type": "STRICT_DNS", ++ "respect_dns_ttl": true, ++ "dns_lookup_family": "{{ .dns_lookup_family }}", ++ "lb_policy": "ROUND_ROBIN", ++ "load_assignment": { ++ "cluster_name": "datadog_agent", ++ "endpoints": [{ ++ "lb_endpoints": [{ ++ "endpoint": { ++ "address":{ ++ "socket_address": {{ .datadog }} ++ } ++ } ++ }] ++ }] ++ } ++ } ++ {{ end }} ++ {{- if .envoy_metrics_service_address }} ++ , ++ { ++ "name": "envoy_metrics_service", ++ "type": "STRICT_DNS", ++ {{- if .envoy_metrics_service_tls }} ++ "transport_socket": {{ .envoy_metrics_service_tls }}, ++ {{- end }} ++ {{- if .envoy_metrics_service_tcp_keepalive }} ++ "upstream_connection_options": {{ .envoy_metrics_service_tcp_keepalive }}, ++ {{- end }} ++ "respect_dns_ttl": true, ++ "dns_lookup_family": "{{ .dns_lookup_family }}", ++ "connect_timeout": "1s", ++ "lb_policy": "ROUND_ROBIN", ++ "typed_extension_protocol_options": { ++ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { ++ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", ++ "explicit_http_config": { ++ "http2_protocol_options": {} ++ } ++ } ++ }, ++ "load_assignment": { ++ "cluster_name": "envoy_metrics_service", ++ "endpoints": [{ ++ "lb_endpoints": [{ ++ "endpoint": { ++ "address":{ ++ "socket_address": {{ .envoy_metrics_service_address }} ++ } ++ } ++ }] ++ }] ++ } ++ } ++ {{ end }} ++ {{ if .envoy_accesslog_service_address }} ++ , ++ { ++ "name": "envoy_accesslog_service", ++ "type": "STRICT_DNS", ++ {{- if .envoy_accesslog_service_tls }} ++ "transport_socket": {{ .envoy_accesslog_service_tls }}, ++ {{- end }} ++ {{- if .envoy_accesslog_service_tcp_keepalive }} ++ "upstream_connection_options": {{ .envoy_accesslog_service_tcp_keepalive }}, ++ {{ end }} ++ "respect_dns_ttl": true, ++ "dns_lookup_family": "{{ .dns_lookup_family }}", ++ "connect_timeout": "1s", ++ "lb_policy": "ROUND_ROBIN", ++ "typed_extension_protocol_options": { ++ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": { ++ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions", ++ "explicit_http_config": { ++ "http2_protocol_options": {} ++ } ++ } ++ }, ++ "load_assignment": { ++ "cluster_name": "envoy_accesslog_service", ++ "endpoints": [{ ++ "lb_endpoints": [{ ++ "endpoint": { ++ "address":{ ++ "socket_address": {{ .envoy_accesslog_service_address }} ++ } ++ } ++ }] ++ }] ++ } ++ } ++ {{ end }} ++ ], ++ "listeners":[ ++ { ++ "address": { ++ "socket_address": { ++ "protocol": "TCP", ++ "address": "{{ .wildcard }}", ++ "port_value": {{ .envoy_prometheus_port }} ++ } ++ }, ++ "filter_chains": [ ++ { ++ "filters": [ ++ { ++ "name": "envoy.filters.network.http_connection_manager", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", ++ "codec_type": "AUTO", ++ "stat_prefix": "stats", ++ "route_config": { ++ "virtual_hosts": [ ++ { ++ "name": "backend", ++ "domains": [ ++ "*" ++ ], ++ "routes": [ ++ { ++ "match": { ++ "prefix": "/stats/prometheus" ++ }, ++ "route": { ++ "cluster": "prometheus_stats" ++ } ++ } ++ ] ++ } ++ ] ++ }, ++ "http_filters": [{ ++ "name": "envoy.filters.http.router", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" ++ } ++ }] ++ } ++ } ++ ] ++ } ++ ] ++ }, ++ { ++ "address": { ++ "socket_address": { ++ "protocol": "TCP", ++ "address": "{{ .wildcard }}", ++ "port_value": {{ .envoy_status_port }} ++ } ++ }, ++ "filter_chains": [ ++ { ++ "filters": [ ++ { ++ "name": "envoy.filters.network.http_connection_manager", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", ++ "codec_type": "AUTO", ++ "stat_prefix": "agent", ++ "route_config": { ++ "virtual_hosts": [ ++ { ++ "name": "backend", ++ "domains": [ ++ "*" ++ ], ++ "routes": [ ++ { ++ "match": { ++ "prefix": "/healthz/ready" ++ }, ++ "route": { ++ "cluster": "agent" ++ } ++ } ++ ] ++ } ++ ] ++ }, ++ "http_filters": [{ ++ "name": "envoy.filters.http.router", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" ++ } ++ }] ++ } ++ } ++ ] ++ } ++ ] ++ } ++ ] ++ } ++ {{- if .zipkin }} ++ , ++ "tracing": { ++ "http": { ++ "name": "envoy.tracers.zipkin", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig", ++ "collector_cluster": "zipkin", ++ "collector_endpoint": "/api/v2/spans", ++ "collector_endpoint_version": "HTTP_JSON", ++ "trace_id_128bit": true, ++ "shared_span_context": false ++ } ++ } ++ } ++ {{- else if .lightstep }} ++ , ++ "tracing": { ++ "http": { ++ "name": "envoy.tracers.lightstep", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.config.trace.v3.LightstepConfig", ++ "collector_cluster": "lightstep", ++ "access_token_file": "{{ .lightstepToken}}" ++ } ++ } ++ } ++ {{- else if .datadog }} ++ , ++ "tracing": { ++ "http": { ++ "name": "envoy.tracers.datadog", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.config.trace.v3.DatadogConfig", ++ "collector_cluster": "datadog_agent", ++ "service_name": "{{ .cluster }}" ++ } ++ } ++ } ++ {{- else if .openCensusAgent }} ++ , ++ "tracing": { ++ "http": { ++ "name": "envoy.tracers.opencensus", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig", ++ "ocagent_exporter_enabled": true, ++ "ocagent_address": "{{ .openCensusAgent }}", ++ "incoming_trace_context": {{ .openCensusAgentContexts }}, ++ "outgoing_trace_context": {{ .openCensusAgentContexts }}, ++ "trace_config": { ++ "constant_sampler": { ++ "decision": "ALWAYS_PARENT" ++ }, ++ "max_number_of_annotations": 200, ++ "max_number_of_attributes": 200, ++ "max_number_of_message_events": 200, ++ "max_number_of_links": 200 ++ } ++ } ++ } ++ } ++ {{- else if .stackdriver }} ++ , ++ "tracing": { ++ "http": { ++ "name": "envoy.tracers.opencensus", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig", ++ "stackdriver_exporter_enabled": true, ++ "stackdriver_project_id": "{{ .stackdriverProjectID }}", ++ {{ if .sts_port }} ++ "stackdriver_grpc_service": { ++ "google_grpc": { ++ "target_uri": "cloudtrace.googleapis.com", ++ "stat_prefix": "oc_stackdriver_tracer", ++ "channel_credentials": { ++ "ssl_credentials": {} ++ }, ++ "call_credentials": [{ ++ "sts_service": { ++ "token_exchange_service_uri": "http://localhost:{{ .sts_port }}/token", ++ "subject_token_path": "/var/run/secrets/tokens/istio-token", ++ "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", ++ "scope": "https://www.googleapis.com/auth/cloud-platform" ++ } ++ }] ++ }, ++ "initial_metadata": [ ++ {{ if .gcp_project_id }} ++ { ++ "key": "x-goog-user-project", ++ "value": "{{ .gcp_project_id }}" ++ } ++ {{ end }} ++ ] ++ }, ++ {{ end }} ++ "stdout_exporter_enabled": {{ .stackdriverDebug }}, ++ "incoming_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"], ++ "outgoing_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"], ++ "trace_config":{ ++ "constant_sampler":{ ++ "decision": "ALWAYS_PARENT" ++ }, ++ "max_number_of_annotations": {{ .stackdriverMaxAnnotations }}, ++ "max_number_of_attributes": {{ .stackdriverMaxAttributes }}, ++ "max_number_of_message_events": {{ .stackdriverMaxEvents }}, ++ "max_number_of_links": 200 ++ } ++ } ++ }} ++ {{ end }} ++ {{ if or .envoy_metrics_service_address .statsd }} ++ , ++ "stats_sinks": [ ++ {{ if .envoy_metrics_service_address }} ++ { ++ "name": "envoy.stat_sinks.metrics_service", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig", ++ "transport_api_version": "V3", ++ "grpc_service": { ++ "envoy_grpc": { ++ "cluster_name": "envoy_metrics_service" ++ } ++ } ++ } ++ } ++ {{ end }} ++ {{ if and .envoy_metrics_service_address .statsd }} ++ , ++ {{ end }} ++ {{ if .statsd }} ++ { ++ "name": "envoy.stat_sinks.statsd", ++ "typed_config": { ++ "@type": "type.googleapis.com/envoy.config.metrics.v3.StatsdSink", ++ "address": { ++ "socket_address": {{ .statsd }} ++ } ++ } ++ } ++ {{ end }} ++ ] ++ {{ end }} ++ {{ if .outlier_log_path }} ++ , ++ "cluster_manager": { ++ "outlier_detection": { ++ "event_log_path": "{{ .outlier_log_path }}" ++ } ++ } ++ {{ end }} ++} +diff -Naur istio/tools/packaging/common/higress-proxy-container-init.sh istio-new/tools/packaging/common/higress-proxy-container-init.sh +--- istio/tools/packaging/common/higress-proxy-container-init.sh 1970-01-01 08:00:00.000000000 +0800 ++++ istio-new/tools/packaging/common/higress-proxy-container-init.sh 2024-05-19 16:30:06.202757394 +0800 +@@ -0,0 +1,32 @@ ++#!/bin/bash ++ ++mkdir -p /var/log/proxy ++ ++mkdir -p /var/lib/istio ++ ++chown -R 1337.1337 /var/log/proxy ++ ++chown -R 1337.1337 /var/lib/logrotate ++ ++chown -R 1337.1337 /var/lib/istio ++ ++cat < /etc/logrotate.d/higress-logrotate ++/var/log/proxy/access.log ++{ ++su 1337 1337 ++rotate 5 ++create 644 1337 1337 ++nocompress ++notifempty ++minsize 100M ++postrotate ++ ps aux|grep "envoy -c"|grep -v "grep"|awk '{print $2}'|xargs -i kill -SIGUSR1 {} ++endscript ++} ++EOF ++ ++chmod -R 0644 /etc/logrotate.d/higress-logrotate ++ ++cat < /var/lib/istio/cron.txt ++* * * * * /usr/sbin/logrotate /etc/logrotate.d/higress-logrotate ++EOF +diff -Naur istio/tools/packaging/common/higress-proxy-start.sh istio-new/tools/packaging/common/higress-proxy-start.sh +--- istio/tools/packaging/common/higress-proxy-start.sh 1970-01-01 08:00:00.000000000 +0800 ++++ istio-new/tools/packaging/common/higress-proxy-start.sh 2024-05-19 16:33:18.802761176 +0800 +@@ -0,0 +1,10 @@ ++#!/bin/bash ++ ++if [ -n "$LITE_METRICS" ]; then ++ cp /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json ++fi ++ ++nohup supercronic /var/lib/istio/cron.txt &> /dev/null & ++ ++/usr/local/bin/pilot-agent $* ++