Enable srds by default (#811)

helm/core/crds/customresourcedefinitions.gen.yaml

@@ -154,6 +154,11 @@ spec:
                           type: array
                         httpPath:
                           type: string
+                        paramFromEntireBody:
+                          properties:
+                            paramType:
+                              type: string
+                          type: object
                         params:
                           items:
                             properties:

helm/core/templates/controller-deployment.yaml

@@ -70,6 +70,10 @@ spec:
             periodSeconds: 3
             timeoutSeconds: 5
           env:
+          - name: DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD
+            value: "{{ .Values.global.defaultUpstreamConcurrencyThreshold }}"
+          - name: ISTIO_GPRC_MAXRECVMSGSIZE
+            value: "{{ .Values.global.xdsMaxRecvMsgSize }}"
           - name: ENBALE_SCOPED_RDS
             value: "{{ .Values.global.enableSRDS }}"
           - name: ON_DEMAND_RDS

helm/core/templates/deployment.yaml

@@ -175,15 +175,15 @@ spec:
             protocol: TCP
           {{- end }}
           readinessProbe:
-            failureThreshold: 30
+            failureThreshold: {{ .Values.gateway.readinessFailureThreshold }}
             httpGet:
               path: /healthz/ready
               port: 15021
               scheme: HTTP
-            initialDelaySeconds: 1
+            initialDelaySeconds: {{ .Values.gateway.readinessInitialDelaySeconds }}
-            periodSeconds: 2
+            periodSeconds: {{ .Values.gateway.readinessPeriodSeconds }}
-            successThreshold: 1
+            successThreshold: {{ .Values.gateway.readinessSuccessThreshold }}
-            timeoutSeconds: 3
+            timeoutSeconds: {{ .Values.gateway.readinessTimeoutSeconds }}
           {{- if not (or .Values.global.local .Values.global.kind) }}
           resources:
             {{- toYaml .Values.gateway.resources | nindent 12 }}

helm/core/values.yaml

@@ -1,6 +1,8 @@
 revision: ""
 global:
-  enableSRDS: false
+  xdsMaxRecvMsgSize: 104857600
+  defaultUpstreamConcurrencyThreshold: 10000
+  enableSRDS: true
   onDemandRDS: false
   hostRDSMergeSubset: false
   onlyPushRouteCluster: true
@@ -151,12 +153,18 @@ global:
     # The number of successive failed probes before indicating readiness failure.
     readinessFailureThreshold: 30
 
+    # The number of successive successed probes before indicating readiness success.
+    readinessSuccessThreshold: 30
+
     # The initial delay for readiness probes in seconds.
     readinessInitialDelaySeconds: 1
 
     # The period between readiness probes.
     readinessPeriodSeconds: 2
 
+    # The readiness timeout seconds
+    readinessTimeoutSeconds: 3
+
     # Resources for the sidecar.
     resources:
       requests:
@@ -373,6 +381,21 @@ gateway:
   replicas: 2
   image: gateway
 
+  # The number of successive failed probes before indicating readiness failure.
+  readinessFailureThreshold: 30
+
+  # The number of successive successed probes before indicating readiness success.
+  readinessSuccessThreshold: 1
+
+  # The initial delay for readiness probes in seconds.
+  readinessInitialDelaySeconds: 1
+
+  # The period between readiness probes.
+  readinessPeriodSeconds: 2
+
+  # The readiness timeout seconds
+  readinessTimeoutSeconds: 3
+
   hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress
   tag: ""
   # revision declares which revision this gateway is a part of

istio/1.12/patches/istio/20240201-optimize-default-arg.patch

@@ -0,0 +1,60 @@
+diff -Naur istio/pilot/cmd/pilot-agent/status/util/stats.go istio-new/pilot/cmd/pilot-agent/status/util/stats.go
+--- istio/pilot/cmd/pilot-agent/status/util/stats.go	2024-02-01 10:20:13.000000000 +0800
++++ istio-new/pilot/cmd/pilot-agent/status/util/stats.go	2024-01-31 22:44:53.000000000 +0800
+@@ -73,7 +73,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, readyStatsRegex)
++	readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort)
+ 	stats, err := http.DoHTTPGetWithTimeout(readinessURL, readinessTimeout)
+ 	if err != nil {
+ 		return nil, false, err
+@@ -105,7 +105,7 @@
+ 		localHostAddr = "localhost"
+ 	}
+ 
+-	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, updateStatsRegex))
++	stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort))
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
+--- istio/pilot/pkg/features/pilot.go	2024-02-01 10:20:17.000000000 +0800
++++ istio-new/pilot/pkg/features/pilot.go	2024-02-01 10:16:18.000000000 +0800
+@@ -575,6 +575,8 @@
+ 		"If enabled, each host in virtualservice will have an independent RDS, which is used with SRDS").Get()
+ 	OnDemandRDS = env.RegisterBoolVar("ON_DEMAND_RDS", false,
+ 		"If enabled, the on demand filter will be added to the HCM filters").Get()
++	DefaultUpstreamConcurrencyThreshold = env.RegisterIntVar("DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD", 1000000,
++		"The default threshold of max_requests/max_pending_requests/max_connections of circuit breaker").Get()
+ 	// End added by ingress
+ )
+ 
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/cluster.go istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go
+--- istio/pilot/pkg/networking/core/v1alpha3/cluster.go	2024-02-01 10:20:17.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go	2024-02-01 10:16:05.000000000 +0800
+@@ -61,6 +61,7 @@
+ 
+ // getDefaultCircuitBreakerThresholds returns a copy of the default circuit breaker thresholds for the given traffic direction.
+ func getDefaultCircuitBreakerThresholds() *cluster.CircuitBreakers_Thresholds {
++	// Modified by ingress
+ 	return &cluster.CircuitBreakers_Thresholds{
+ 		// DefaultMaxRetries specifies the default for the Envoy circuit breaker parameter max_retries. This
+ 		// defines the maximum number of parallel retries a given Envoy will allow to the upstream cluster. Envoy defaults
+@@ -68,11 +69,12 @@
+ 		// where multiple endpoints in a cluster are terminated. In these scenarios the circuit breaker can kick
+ 		// in before Pilot is able to deliver an updated endpoint list to Envoy, leading to client-facing 503s.
+ 		MaxRetries:         &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxRequests:        &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxConnections:     &wrappers.UInt32Value{Value: math.MaxUint32},
+-		MaxPendingRequests: &wrappers.UInt32Value{Value: math.MaxUint32},
++		MaxRequests:        &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
++		MaxConnections:     &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
++		MaxPendingRequests: &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
+ 		TrackRemaining:     true,
+ 	}
++	// End modified by ingress
+ }
+ 
+ // BuildClusters returns the list of clusters for the given proxy. This is the CDS output

istio/1.12/patches/istio/20240201-virtual-host-allow-server-name.patch

@@ -0,0 +1,88 @@
+diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
+--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-02-01 13:53:17.000000000 +0800
++++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go	2024-02-01 13:52:11.000000000 +0800
+@@ -501,6 +501,16 @@
+ 					gatewayVirtualServices[gatewayName] = virtualServices
+ 				}
+ 				for _, virtualService := range virtualServices {
++					virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
++					serverHosts := host.NamesForNamespace(server.Hosts, virtualService.Namespace)
++
++					// We have two cases here:
++					// 1. virtualService hosts are 1.foo.com, 2.foo.com, 3.foo.com and server hosts are ns/*.foo.com
++					// 2. virtualService hosts are *.foo.com, and server hosts are ns/1.foo.com, ns/2.foo.com, ns/3.foo.com
++					intersectingHosts := serverHosts.Intersection(virtualServiceHosts)
++					if len(intersectingHosts) == 0 {
++						continue
++					}
+ 					listenerVirtualServices = append(listenerVirtualServices, virtualServiceContext{
+ 						virtualService: virtualService,
+ 						server:         server,
+@@ -615,22 +625,24 @@
+ 
+ 		// check all hostname if is not exist with HttpsRedirect set to true
+ 		// create VirtualHost to redirect
+-		for _, hostname := range server.Hosts {
+-			if !server.GetTls().GetHttpsRedirect() {
+-				continue
+-			}
+-			if vHost != nil && host.Name(hostname) == host.Name(hostRDSHost) {
++		if server.GetTls().GetHttpsRedirect() {
++			if vHost != nil {
+ 				vHost.RequireTls = route.VirtualHost_ALL
+-				continue
++			} else {
++				vHost = &route.VirtualHost{
++					Name:                       util.DomainName(hostRDSHost, port),
++					Domains:                    buildGatewayVirtualHostDomains(hostRDSHost, port),
++					IncludeRequestAttemptCount: true,
++					RequireTls:                 route.VirtualHost_ALL,
++				}
+ 			}
+-			vHost = &route.VirtualHost{
+-				Name:                       util.DomainName(hostname, port),
+-				Domains:                    buildGatewayVirtualHostDomains(hostname, port),
+-				IncludeRequestAttemptCount: true,
+-				RequireTls:                 route.VirtualHost_ALL,
++		} else if vHost != nil {
++			mode := server.GetTls().GetMode()
++			if mode == networking.ServerTLSSettings_MUTUAL ||
++				mode == networking.ServerTLSSettings_ISTIO_MUTUAL {
++				vHost.AllowServerNames = append(vHost.AllowServerNames, server.Hosts...)
+ 			}
+ 		}
+-
+ 	}
+ 	var virtualHosts []*route.VirtualHost
+ 	if vHost == nil {
+@@ -642,6 +654,30 @@
+ 			Routes: []*route.Route{},
+ 		}}
+ 	} else {
++		sort.SliceStable(vHost.AllowServerNames, func(i, j int) bool {
++			hostI := vHost.AllowServerNames[i]
++			hostJ := vHost.AllowServerNames[j]
++			if host.Name(hostI).SubsetOf(host.Name(hostJ)) {
++				return true
++			}
++			return hostI < hostJ
++		})
++		var uniqueServerNames []string
++		hasAllCatch := false
++		for i, name := range vHost.AllowServerNames {
++			if name == "*" {
++				hasAllCatch = true
++				break
++			}
++			if i == 0 || vHost.AllowServerNames[i-1] != name {
++				uniqueServerNames = append(uniqueServerNames, name)
++			}
++		}
++		if hasAllCatch {
++			vHost.AllowServerNames = nil
++		} else {
++			vHost.AllowServerNames = uniqueServerNames
++		}
+ 		vHost.Routes = istio_route.CombineVHostRoutes(vHost.Routes)
+ 		virtualHosts = append(virtualHosts, vHost)
+ 	}

pkg/ingress/config/ingress_config.go

@@ -475,9 +475,6 @@ func (m *IngressConfig) convertVirtualService(configs []common.WrapperConfig) []
 		gateways := []string{m.namespace + "/" +
 			common.CreateConvertedName(m.clusterId, cleanHost),
 			common.CreateConvertedName(constants.IstioIngressGatewayName, cleanHost)}
-		if host != "*" {
-			gateways = append(gateways, m.namespace+"/"+common.CreateConvertedName(m.clusterId, common.CleanHost("*")))
-		}
 
 		wrapperVS, exist := convertOptions.VirtualServices[host]
 		if !exist {

pkg/ingress/config/kingress_config.go

@@ -314,9 +314,6 @@ func (m *KIngressConfig) convertVirtualService(configs []common.WrapperConfig) [
 		gateways := []string{m.namespace + "/" +
 			common.CreateConvertedName(m.clusterId, cleanHost),
 			common.CreateConvertedName(constants.IstioIngressGatewayName, cleanHost)}
-		if host != "*" {
-			gateways = append(gateways, m.namespace+"/"+common.CreateConvertedName(m.clusterId, common.CleanHost("*")))
-		}
 
 		wrapperVS, exist := convertOptions.VirtualServices[host]
 		if !exist {