jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-06-09 12:47:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove useless patch files and fix some issues of envoy&istio (#1263)

Browse Source
This commit is contained in:
澄潭
2024-08-30 19:18:18 +08:00
committed by GitHub
parent abefb35ffb
commit d0ac5946bb
69 changed files with 4 additions and 123475 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64873
istio/1.12/patches/api/20221027-init.patch
View File

File diff suppressed because one or more lines are too long

1574
istio/1.12/patches/client-go/20221027-init.patch
View File

File diff suppressed because it is too large Load Diff

9947
istio/1.12/patches/istio/20221027-init.patch
View File

File diff suppressed because it is too large Load Diff

189
istio/1.12/patches/istio/20221103-fix-multi-namespace.patch
View File

@@ -1,189 +0,0 @@
diff --git a/pilot/docker/Dockerfile.pilot b/pilot/docker/Dockerfile.pilot
index 601d78d12a..4a63a71ff5 100644
--- a/pilot/docker/Dockerfile.pilot
+++ b/pilot/docker/Dockerfile.pilot
@@ -25,6 +25,8 @@ COPY gcp_envoy_bootstrap.json /var/lib/istio/envoy/gcp_envoy_bootstrap_tmpl.json
COPY higress-pilot-start.sh /usr/local/bin/higress-pilot-start.sh
+RUN chmod +x /usr/local/bin/higress-pilot-start.sh
+
USER 1337:1337
ENTRYPOINT ["/usr/local/bin/higress-pilot-start.sh"]
diff --git a/pilot/pkg/model/ali_push_context.go b/pilot/pkg/model/ali_push_context.go
index 459bd78469..55ba7331e0 100644
--- a/pilot/pkg/model/ali_push_context.go
+++ b/pilot/pkg/model/ali_push_context.go
@@ -1,6 +1,7 @@
package model
import (
+ "path"
"sort"
"strings"
"time"
@@ -123,7 +124,7 @@ func createCRName(clusterId, autoGenerated string) string {
// virtualServiceFilter will modify copied configs from underlying store.
// We merge routes into pre host of virtual service.
-func virtualServiceFilter(configs []config.Config) []config.Config {
+func VirtualServiceFilter(configs []config.Config) []config.Config {
var autoGenerated []*config.Config
configsForName := make(map[string]*config.Config, len(configs))
@@ -134,7 +135,7 @@ func virtualServiceFilter(configs []config.Config) []config.Config {
if strings.HasPrefix(c.Name, constants.IstioIngressGatewayName) {
autoGenerated = append(autoGenerated, &c)
} else {
- configsForName[c.Name] = &c
+ configsForName[path.Join(c.Namespace, c.Name)] = &c
}
}
@@ -142,7 +143,7 @@ func virtualServiceFilter(configs []config.Config) []config.Config {
for _, c := range autoGenerated {
targetName := createCRName(istioClusterId, c.Name)
- rawVS, exist := configsForName[targetName]
+ rawVS, exist := configsForName[path.Join(c.Namespace, targetName)]
if exist {
vs := rawVS.Spec.(*networking.VirtualService)
autoGeneratedVS := c.Spec.(*networking.VirtualService)
@@ -155,7 +156,7 @@ func virtualServiceFilter(configs []config.Config) []config.Config {
// We change the auto-generated config name to the format of cr name same with ops when ops
// don't have this host.
c.Name = targetName
- configsForName[targetName] = c
+ configsForName[path.Join(c.Namespace, targetName)] = c
}
}
@@ -167,7 +168,7 @@ func virtualServiceFilter(configs []config.Config) []config.Config {
}
// destinationFilter will modify copied configs from underlying store.
-func destinationFilter(configs []config.Config) []config.Config {
+func DestinationFilter(configs []config.Config) []config.Config {
var autoGenerated []*config.Config
configsForName := make(map[string]*config.Config, len(configs))
@@ -176,7 +177,7 @@ func destinationFilter(configs []config.Config) []config.Config {
if strings.HasPrefix(c.Name, constants.IstioIngressGatewayName) {
autoGenerated = append(autoGenerated, &c)
} else {
- configsForName[c.Name] = &c
+ configsForName[path.Join(c.Namespace, c.Name)] = &c
}
}
@@ -185,12 +186,12 @@ func destinationFilter(configs []config.Config) []config.Config {
for _, c := range autoGenerated {
// DestinationRule name of ops is md5 without cluster id.
targetName := strings.TrimPrefix(c.Name, constants.IstioIngressGatewayName+"-")
- _, exist := configsForName[targetName]
+ _, exist := configsForName[path.Join(c.Namespace, targetName)]
if !exist {
// We change the auto-generated config name to the format of cr name same with ops when ops
// don't have destination rule for this service.
c.Name = targetName
- configsForName[targetName] = c
+ configsForName[path.Join(c.Namespace, targetName)] = c
}
}
@@ -203,7 +204,7 @@ func destinationFilter(configs []config.Config) []config.Config {
// gatewayFilter will modify copied configs from underlying store.
// We merge routes into pre host of virtual service.
-func gatewayFilter(configs []config.Config) []config.Config {
+func GatewayFilter(configs []config.Config) []config.Config {
var autoGenerated []*config.Config
configsForName := make(map[string]*config.Config, len(configs))
@@ -214,7 +215,7 @@ func gatewayFilter(configs []config.Config) []config.Config {
if strings.HasPrefix(c.Name, constants.IstioIngressGatewayName) {
autoGenerated = append(autoGenerated, &c)
} else {
- configsForName[c.Name] = &c
+ configsForName[path.Join(c.Namespace, c.Name)] = &c
}
}
@@ -222,14 +223,14 @@ func gatewayFilter(configs []config.Config) []config.Config {
for _, c := range autoGenerated {
targetName := createCRName(istioClusterId, c.Name)
- _, exist := configsForName[targetName]
+ _, exist := configsForName[path.Join(c.Namespace, targetName)]
// Note, if ops already has the host without tls and ingress has the same host with tls,
// we don't merge tls settings, i.e, we don't adopt ingress tls for this host.
if !exist {
// We change the auto-generated config name to the format of cr name same with ops when ops
// don't have this host.
c.Name = targetName
- configsForName[targetName] = c
+ configsForName[path.Join(c.Namespace, targetName)] = c
}
}
diff --git a/pilot/pkg/model/push_context.go b/pilot/pkg/model/push_context.go
index b7e4957b62..89bc9e4e36 100644
--- a/pilot/pkg/model/push_context.go
+++ b/pilot/pkg/model/push_context.go
@@ -1406,7 +1406,7 @@ func (ps *PushContext) initVirtualServices(env *Environment) error {
}
// Added by ingress
- vservices = virtualServiceFilter(vservices)
+ vservices = VirtualServiceFilter(vservices)
// End added by ingress
totalVirtualServices.Record(float64(len(virtualServices)))
@@ -1608,7 +1608,7 @@ func (ps *PushContext) initDestinationRules(env *Environment) error {
destRules[i] = configs[i].DeepCopy()
}
- destRules = destinationFilter(destRules)
+ destRules = DestinationFilter(destRules)
ps.SetDestinationRules(destRules)
return nil
@@ -1937,7 +1937,7 @@ func (ps *PushContext) initGateways(env *Environment) error {
for i := range gateways {
gateways[i] = gatewayConfigs[i].DeepCopy()
}
- gatewayConfigs = gatewayFilter(gateways)
+ gatewayConfigs = GatewayFilter(gateways)
// End added by ingress
sortConfigByCreationTime(gatewayConfigs)
diff --git a/pilot/pkg/xds/debug.go b/pilot/pkg/xds/debug.go
index ac91ef312a..a5b4ea6943 100644
--- a/pilot/pkg/xds/debug.go
+++ b/pilot/pkg/xds/debug.go
@@ -42,6 +42,7 @@ import (
v3 "istio.io/istio/pilot/pkg/xds/v3"
"istio.io/istio/pkg/config"
"istio.io/istio/pkg/config/schema/collection"
+ "istio.io/istio/pkg/config/schema/gvk"
"istio.io/istio/pkg/network"
"istio.io/istio/pkg/util/protomarshal"
istiolog "istio.io/pkg/log"
@@ -463,6 +464,16 @@ func (s *DiscoveryServer) configz(w http.ResponseWriter, req *http.Request) {
configs := make([]kubernetesConfig, 0)
s.Env.IstioConfigStore.Schemas().ForEach(func(schema collection.Schema) bool {
cfg, _ := s.Env.IstioConfigStore.List(schema.Resource().GroupVersionKind(), "")
+ // Added by ingress
+ switch schema.Resource().GroupVersionKind().String() {
+ case gvk.Gateway.String():
+ cfg = model.GatewayFilter(cfg)
+ case gvk.VirtualService.String():
+ cfg = model.VirtualServiceFilter(cfg)
+ case gvk.DestinationRule.String():
+ cfg = model.DestinationFilter(cfg)
+ }
+ // End added by ingress
for _, c := range cfg {
configs = append(configs, kubernetesConfig{c})
}

12
istio/1.12/patches/istio/20221107-mcp-skip-validate.patch
View File

@@ -1,12 +0,0 @@
diff -Naur istio/pilot/pkg/bootstrap/configcontroller.go new/pilot/pkg/bootstrap/configcontroller.go
--- istio/pilot/pkg/bootstrap/configcontroller.go 2022-11-07 21:47:11.000000000 +0800
+++ new/pilot/pkg/bootstrap/configcontroller.go 2022-11-07 21:50:31.000000000 +0800
@@ -250,7 +250,7 @@
if err != nil {
return fmt.Errorf("failed to dial XDS %s %v", configSource.Address, err)
}
- store := memory.Make(collections.Pilot)
+ store := memory.MakeSkipValidation(collections.Pilot)
configController := memory.NewController(store)
configController.RegisterHasSyncedHandler(xdsMCP.HasSynced)
xdsMCP.Store = model.MakeIstioStore(configController)

37
istio/1.12/patches/istio/20221107-support-ingress-secret.patch
View File

@@ -1,37 +0,0 @@
diff -Naur istio/pilot/pkg/model/credentials/ali_resource.go new/pilot/pkg/model/credentials/ali_resource.go
--- istio/pilot/pkg/model/credentials/ali_resource.go 2022-11-07 21:40:10.000000000 +0800
+++ new/pilot/pkg/model/credentials/ali_resource.go 2022-11-07 19:03:22.000000000 +0800
@@ -4,6 +4,7 @@
"fmt"
"strings"
+ "istio.io/istio/pilot/pkg/features"
"istio.io/istio/pkg/cluster"
)
@@ -13,6 +14,9 @@
)
func ToKubernetesIngressResource(clusterId, namespace, name string) string {
+ if clusterId == "" {
+ clusterId = features.ClusterName
+ }
return fmt.Sprintf("%s://%s/%s/%s", KubernetesIngressSecretType, clusterId, namespace, name)
}
diff -Naur istio/pilot/pkg/xds/sds.go new/pilot/pkg/xds/sds.go
--- istio/pilot/pkg/xds/sds.go 2022-11-07 21:40:10.000000000 +0800
+++ new/pilot/pkg/xds/sds.go 2022-11-07 21:44:28.000000000 +0800
@@ -229,6 +229,12 @@
} else {
deniedResources = append(deniedResources, r.Name)
}
+ case credentials.KubernetesIngressSecretType:
+ if isAuthorized() {
+ allowedResources = append(allowedResources, r)
+ } else {
+ deniedResources = append(deniedResources, r.Name)
+ }
default:
// Should never happen
log.Warnf("unknown credential type %q", r.Type)

185
istio/1.12/patches/istio/20221110-fix-deadlock.patch
View File

@@ -1,185 +0,0 @@
diff --git a/pkg/istio-agent/xds_proxy.go b/pkg/istio-agent/xds_proxy.go
index 51766751e1..5b33234024 100644
--- a/pkg/istio-agent/xds_proxy.go
+++ b/pkg/istio-agent/xds_proxy.go
@@ -47,6 +47,7 @@ import (
"istio.io/istio/pilot/pkg/features"
istiogrpc "istio.io/istio/pilot/pkg/grpc"
v3 "istio.io/istio/pilot/pkg/xds/v3"
+ "istio.io/istio/pkg/channels"
"istio.io/istio/pkg/config/constants"
dnsProto "istio.io/istio/pkg/dns/proto"
"istio.io/istio/pkg/istio-agent/health"
@@ -233,24 +234,14 @@ func initXdsProxy(ia *Agent) (*XdsProxy, error) {
// PersistRequest sends a request to the currently connected proxy. Additionally, on any reconnection
// to the upstream XDS request we will resend this request.
func (p *XdsProxy) PersistRequest(req *discovery.DiscoveryRequest) {
- var ch chan *discovery.DiscoveryRequest
- var stop chan struct{}
-
p.connectedMutex.Lock()
- if p.connected != nil {
- ch = p.connected.requestsChan
- stop = p.connected.stopChan
+ // Immediately send if we are currently connect
+ if p.connected != nil && p.connected.requestsChan != nil {
+ p.connected.requestsChan.Put(req)
}
+ // Otherwise place it as our initial request for new connections
p.initialRequest = req
p.connectedMutex.Unlock()
-
- // Immediately send if we are currently connect
- if ch != nil {
- select {
- case ch <- req:
- case <-stop:
- }
- }
}
func (p *XdsProxy) UnregisterStream(c *ProxyConnection) {
@@ -276,9 +267,9 @@ type ProxyConnection struct {
conID uint32
upstreamError chan error
downstreamError chan error
- requestsChan chan *discovery.DiscoveryRequest
+ requestsChan *channels.Unbounded
responsesChan chan *discovery.DiscoveryResponse
- deltaRequestsChan chan *discovery.DeltaDiscoveryRequest
+ deltaRequestsChan *channels.Unbounded
deltaResponsesChan chan *discovery.DeltaDiscoveryResponse
stopChan chan struct{}
downstream adsStream
@@ -290,10 +281,7 @@ type ProxyConnection struct {
// sendRequest is a small wrapper around sending to con.requestsChan. This ensures that we do not
// block forever on
func (con *ProxyConnection) sendRequest(req *discovery.DiscoveryRequest) {
- select {
- case con.requestsChan <- req:
- case <-con.stopChan:
- }
+ con.requestsChan.Put(req)
}
type adsStream interface {
@@ -315,10 +303,29 @@ func (p *XdsProxy) handleStream(downstream adsStream) error {
conID: connectionNumber.Inc(),
upstreamError: make(chan error, 2), // can be produced by recv and send
downstreamError: make(chan error, 2), // can be produced by recv and send
- requestsChan: make(chan *discovery.DiscoveryRequest, 10),
- responsesChan: make(chan *discovery.DiscoveryResponse, 10),
- stopChan: make(chan struct{}),
- downstream: downstream,
+ // Requests channel is unbounded. The Envoy<->XDS Proxy<->Istiod system produces a natural
+ // looping of Recv and Send. Due to backpressure introduce by gRPC natively (that is, Send() can
+ // only send so much data without being Recv'd before it starts blocking), along with the
+ // backpressure provided by our channels, we have a risk of deadlock where both xdsproxy and
+ // Istiod are trying to Send, but both are blocked by gRPC backpressure until Recv() is called.
+ // However, Recv can fail to be called by Send being blocked. This can be triggered by the two
+ // sources in our system (Envoy request and Istiod pushes) producing more events than we can keep
+ // up with.
+ // See https://github.com/istio/istio/issues/39209 for more information
+ //
+ // To prevent these issues, we need to either:
+ // 1. Apply backpressure directly to Envoy requests or Istiod pushes
+ // 2. Make part of the system unbounded
+ //
+ // (1) is challenging because we cannot do a conditional Recv (for Envoy requests), and changing
+ // the control plane requires substantial changes. Instead, we make the requests channel
+ // unbounded. This is the least likely to cause issues as the messages we store here are the
+ // smallest relative to other channels.
+ requestsChan: channels.NewUnbounded(),
+ // Allow a buffer of 1. This ensures we queue up at most 2 (one in process, 1 pending) responses before forwarding.
+ responsesChan: make(chan *discovery.DiscoveryResponse, 1),
+ stopChan: make(chan struct{}),
+ downstream: downstream,
}
p.RegisterStream(con)
@@ -452,7 +459,9 @@ func (p *XdsProxy) handleUpstreamRequest(con *ProxyConnection) {
defer con.upstream.CloseSend() // nolint
for {
select {
- case req := <-con.requestsChan:
+ case requ := <-con.requestsChan.Get():
+ con.requestsChan.Load()
+ req := requ.(*discovery.DiscoveryRequest)
proxyLog.Debugf("request for type url %s", req.TypeUrl)
metrics.XdsProxyRequests.Increment()
if req.TypeUrl == v3.ExtensionConfigurationType {
diff --git a/pkg/istio-agent/xds_proxy_delta.go b/pkg/istio-agent/xds_proxy_delta.go
index 2cd82b4059..c2245f9918 100644
--- a/pkg/istio-agent/xds_proxy_delta.go
+++ b/pkg/istio-agent/xds_proxy_delta.go
@@ -27,6 +27,7 @@ import (
"istio.io/istio/pilot/pkg/features"
istiogrpc "istio.io/istio/pilot/pkg/grpc"
v3 "istio.io/istio/pilot/pkg/xds/v3"
+ "istio.io/istio/pkg/channels"
"istio.io/istio/pkg/istio-agent/metrics"
"istio.io/istio/pkg/wasm"
)
@@ -34,10 +35,7 @@ import (
// sendDeltaRequest is a small wrapper around sending to con.requestsChan. This ensures that we do not
// block forever on
func (con *ProxyConnection) sendDeltaRequest(req *discovery.DeltaDiscoveryRequest) {
- select {
- case con.deltaRequestsChan <- req:
- case <-con.stopChan:
- }
+ con.deltaRequestsChan.Put(req)
}
// requests from envoy
@@ -48,10 +46,11 @@ func (p *XdsProxy) DeltaAggregatedResources(downstream discovery.AggregatedDisco
proxyLog.Debugf("accepted delta xds connection from envoy, forwarding to upstream")
con := &ProxyConnection{
- upstreamError: make(chan error, 2), // can be produced by recv and send
- downstreamError: make(chan error, 2), // can be produced by recv and send
- deltaRequestsChan: make(chan *discovery.DeltaDiscoveryRequest, 10),
- deltaResponsesChan: make(chan *discovery.DeltaDiscoveryResponse, 10),
+ upstreamError: make(chan error, 2), // can be produced by recv and send
+ downstreamError: make(chan error, 2), // can be produced by recv and send
+ deltaRequestsChan: channels.NewUnbounded(),
+ // Allow a buffer of 1. This ensures we queue up at most 2 (one in process, 1 pending) responses before forwarding.
+ deltaResponsesChan: make(chan *discovery.DeltaDiscoveryResponse, 1),
stopChan: make(chan struct{}),
downstreamDeltas: downstream,
}
@@ -190,7 +189,9 @@ func (p *XdsProxy) handleUpstreamDeltaRequest(con *ProxyConnection) {
}()
for {
select {
- case req := <-con.deltaRequestsChan:
+ case requ := <-con.deltaRequestsChan.Get():
+ con.deltaRequestsChan.Load()
+ req := requ.(*discovery.DeltaDiscoveryRequest)
proxyLog.Debugf("delta request for type url %s", req.TypeUrl)
metrics.XdsProxyRequests.Increment()
if req.TypeUrl == v3.ExtensionConfigurationType {
@@ -296,22 +297,10 @@ func sendDownstreamDelta(deltaDownstream discovery.AggregatedDiscoveryService_De
}
func (p *XdsProxy) PersistDeltaRequest(req *discovery.DeltaDiscoveryRequest) {
- var ch chan *discovery.DeltaDiscoveryRequest
- var stop chan struct{}
-
p.connectedMutex.Lock()
if p.connected != nil {
- ch = p.connected.deltaRequestsChan
- stop = p.connected.stopChan
+ p.connected.deltaRequestsChan.Put(req)
}
p.initialDeltaRequest = req
p.connectedMutex.Unlock()
-
- // Immediately send if we are currently connect
- if ch != nil {
- select {
- case ch <- req:
- case <-stop:
- }
- }
}

139
istio/1.12/patches/istio/20221110-fix-xds-push.patch
View File

@@ -1,139 +0,0 @@
diff -Naur base/pilot/pkg/xds/xdsgen.go istio/pilot/pkg/xds/xdsgen.go
--- base/pilot/pkg/xds/xdsgen.go 2022-11-10 20:45:14.000000000 +0800
+++ istio/pilot/pkg/xds/xdsgen.go 2022-11-10 20:16:35.000000000 +0800
@@ -96,40 +96,23 @@
return nil
}
-// End added by ingress
-
-// Push an XDS resource for the given connection. Configuration will be generated
-// based on the passed in generator. Based on the updates field, generators may
-// choose to send partial or even no response if there are no changes.
-func (s *DiscoveryServer) pushXds(con *Connection, push *model.PushContext,
- w *model.WatchedResource, req *model.PushRequest) error {
+func (s *DiscoveryServer) pushMcpXds(con *Connection, push *model.PushContext, w *model.WatchedResource, req *model.PushRequest) error {
if w == nil {
return nil
}
t0 := time.Now()
- // Modified by ingress
+
var (
- res []*any.Any
logdata model.XdsLogDetails
err error
)
- if s.Env.MCPMode {
- res = make([]*any.Any, 0)
- gen := s.findMcpGenerator(w.TypeUrl, con)
- if gen != nil {
- res, logdata, err = gen.Generate(con.proxy, push, w, req)
- }
- } else {
- gen := s.findGenerator(w.TypeUrl, con)
- if gen == nil {
- return nil
- }
- var resource model.Resources
- resource, logdata, err = gen.Generate(con.proxy, push, w, req)
- res = model.ResourcesToAny(resource)
+ res := make([]*any.Any, 0)
+ gen := s.findMcpGenerator(w.TypeUrl, con)
+ if gen != nil {
+ res, logdata, err = gen.Generate(con.proxy, push, w, req)
}
- if err != nil || res == nil {
+ if err != nil {
// If we have nothing to send, report that we got an ACK for this version.
if s.StatusReporter != nil {
s.StatusReporter.RegisterEvent(con.ConID, w.TypeUrl, push.LedgerVersion)
@@ -181,7 +164,86 @@
log.Infof("%s: %s%s for node:%s resources:%d size:%v%s%s", v3.GetShortType(w.TypeUrl), ptype, req.PushReason(), con.proxy.ID, len(res),
util.ByteCount(AnyResourceSize(res)), info, debug)
}
- // End modified by ingress
+ return nil
+}
+
+// End added by ingress
+
+// Push an XDS resource for the given connection. Configuration will be generated
+// based on the passed in generator. Based on the updates field, generators may
+// choose to send partial or even no response if there are no changes.
+func (s *DiscoveryServer) pushXds(con *Connection, push *model.PushContext,
+ w *model.WatchedResource, req *model.PushRequest) error {
+ // Added by ingress
+ if s.Env.MCPMode {
+ return s.pushMcpXds(con, push, w, req)
+ }
+ // End added by ingress
+ if w == nil {
+ return nil
+ }
+ gen := s.findGenerator(w.TypeUrl, con)
+ if gen == nil {
+ return nil
+ }
+
+ t0 := time.Now()
+
+ res, logdata, err := gen.Generate(con.proxy, push, w, req)
+ if err != nil || res == nil {
+ // If we have nothing to send, report that we got an ACK for this version.
+ if s.StatusReporter != nil {
+ s.StatusReporter.RegisterEvent(con.ConID, w.TypeUrl, push.LedgerVersion)
+ }
+ return err
+ }
+ defer func() { recordPushTime(w.TypeUrl, time.Since(t0)) }()
+
+ resp := &discovery.DiscoveryResponse{
+ ControlPlane: ControlPlane(),
+ TypeUrl: w.TypeUrl,
+ // TODO: send different version for incremental eds
+ VersionInfo: push.PushVersion,
+ Nonce: nonce(push.LedgerVersion),
+ Resources: model.ResourcesToAny(res),
+ }
+
+ configSize := ResourceSize(res)
+ configSizeBytes.With(typeTag.Value(w.TypeUrl)).Record(float64(configSize))
+
+ ptype := "PUSH"
+ info := ""
+ if logdata.Incremental {
+ ptype = "PUSH INC"
+ }
+ if len(logdata.AdditionalInfo) > 0 {
+ info = " " + logdata.AdditionalInfo
+ }
+
+ if err := con.send(resp); err != nil {
+ if recordSendError(w.TypeUrl, err) {
+ log.Warnf("%s: Send failure for node:%s resources:%d size:%s%s: %v",
+ v3.GetShortType(w.TypeUrl), con.proxy.ID, len(res), util.ByteCount(configSize), info, err)
+ }
+ return err
+ }
+
+ switch {
+ case logdata.Incremental:
+ if log.DebugEnabled() {
+ log.Debugf("%s: %s%s for node:%s resources:%d size:%s%s",
+ v3.GetShortType(w.TypeUrl), ptype, req.PushReason(), con.proxy.ID, len(res), util.ByteCount(configSize), info)
+ }
+ default:
+ debug := ""
+ if log.DebugEnabled() {
+ // Add additional information to logs when debug mode enabled.
+ debug = " nonce:" + resp.Nonce + " version:" + resp.VersionInfo
+ }
+ log.Infof("%s: %s%s for node:%s resources:%d size:%v%s%s", v3.GetShortType(w.TypeUrl), ptype, req.PushReason(), con.proxy.ID, len(res),
+ util.ByteCount(ResourceSize(res)), info, debug)
+ }
+
return nil
}

85
istio/1.12/patches/istio/20221210-mcp-service-entry.patch
View File

@@ -1,85 +0,0 @@
diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
--- istio/pilot/pkg/model/push_context.go 2022-12-10 16:49:42.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go 2022-12-10 15:56:09.000000000 +0800
@@ -245,6 +245,7 @@
initializeMutex sync.Mutex
// Added by ingress
+ AllServiceEntries []config.Config
AllVirtualServices []config.Config
AllDestinationRules []config.Config
AllEnvoyFilters []config.Config
@@ -1199,6 +1200,9 @@
// make sure we copy over things that would be generated in initServiceRegistry
ps.ServiceIndex = oldPushContext.ServiceIndex
ps.ServiceAccounts = oldPushContext.ServiceAccounts
+ // Added by ingress
+ ps.AllServiceEntries = oldPushContext.AllServiceEntries
+ // End added by ingress
}
if servicesChanged || gatewayAPIChanged {
@@ -1214,6 +1218,9 @@
}
} else {
ps.virtualServiceIndex = oldPushContext.virtualServiceIndex
+ // Added by ingress
+ ps.AllVirtualServices = oldPushContext.AllVirtualServices
+ // End added by ingress
}
if destinationRulesChanged {
@@ -1222,6 +1229,9 @@
}
} else {
ps.destinationRuleIndex = oldPushContext.destinationRuleIndex
+ // Added by ingress
+ ps.AllDestinationRules = oldPushContext.AllDestinationRules
+ // End added by ingress
}
if authnChanged {
@@ -1255,6 +1265,9 @@
}
} else {
ps.wasmPluginsByNamespace = oldPushContext.wasmPluginsByNamespace
+ // Added by ingress
+ ps.AllWasmplugins = oldPushContext.AllWasmplugins
+ // End added by ingress
}
if envoyFiltersChanged {
@@ -1263,6 +1276,9 @@
}
} else {
ps.envoyFiltersByNamespace = oldPushContext.envoyFiltersByNamespace
+ // Added by ingress
+ ps.AllEnvoyFilters = oldPushContext.AllEnvoyFilters
+ // End added by ingress
}
if gatewayChanged {
@@ -1271,6 +1287,9 @@
}
} else {
ps.gatewayIndex = oldPushContext.gatewayIndex
+ // Added by ingress
+ ps.AllGateways = oldPushContext.AllGateways
+ // End added by ingress
}
// Must be initialized in the end
@@ -1289,6 +1308,13 @@
// Caches list of services in the registry, and creates a map
// of hostname to service
func (ps *PushContext) initServiceRegistry(env *Environment) error {
+ // Added by ingress
+ if env.MCPMode {
+ ps.AllServiceEntries = env.ServiceEntries()
+ return nil
+ }
+ // End added by ingress
+
services, err := env.Services()
if err != nil {
return err

30
istio/1.12/patches/istio/20230119-custom-ca-cert-name.patch
View File

@@ -1,30 +0,0 @@
diff -Naur istio/pilot/pkg/features/pilot.go istio_new/pilot/pkg/features/pilot.go
--- istio/pilot/pkg/features/pilot.go 2023-01-19 11:17:16.000000000 +0800
+++ istio_new/pilot/pkg/features/pilot.go 2023-01-19 11:03:37.000000000 +0800
@@ -562,6 +562,11 @@
PrioritizedLeaderElection = env.RegisterBoolVar("PRIORITIZED_LEADER_ELECTION", true,
"If enabled, the default revision will steal leader locks from non-default revisions").Get()
+
+ // Added by ingress
+ CustomCACertConfigMapName = env.RegisterStringVar("CUSTOM_CA_CERT_NAME", "",
+ "Defines the configmap's name of istio's root ca certificate").Get()
+ // End added by ingress
)
// UnsafeFeaturesEnabled returns true if any unsafe features are enabled.
diff -Naur istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go istio_new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go
--- istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go 2023-01-19 11:17:19.000000000 +0800
+++ istio_new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go 2023-01-19 11:20:32.000000000 +0800
@@ -50,6 +50,11 @@
if features.ClusterName != "" && features.ClusterName != "Kubernetes" {
dynamicCACertNamespaceConfigMap = fmt.Sprintf("%s-ca-root-cert", features.ClusterName)
}
+ // Added by ingress
+ if features.CustomCACertConfigMapName != "" {
+ dynamicCACertNamespaceConfigMap = features.CustomCACertConfigMapName
+ }
+ // End added by ingress
}
// NamespaceController manages reconciles a configmap in each namespace with a desired set of data.

18
istio/1.12/patches/istio/20230208-waf-stats.patch
View File

@@ -1,18 +0,0 @@
diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio_new/tools/packaging/common/envoy_bootstrap.json
--- istio/tools/packaging/common/envoy_bootstrap.json 2023-02-08 22:42:41.000000000 +0800
+++ istio_new/tools/packaging/common/envoy_bootstrap.json 2023-02-08 22:19:04.000000000 +0800
@@ -37,6 +37,14 @@
"use_all_default_tags": false,
"stats_tags": [
{
+ "tag_name": "phase",
+ "regex": "(_phase=([a-z_]+))"
+ },
+ {
+ "tag_name": "ruleid",
+ "regex": "(_ruleid=([0-9]+))"
+ },
+ {
"tag_name": "route",
"regex": "^vhost\\..*?\\.route\\.([^\\.]+\\.)upstream"
},

20
istio/1.12/patches/istio/20230319-imagefetcher-oci.patch
View File

@@ -1,20 +0,0 @@
diff --color -Naur external/istio/pkg/wasm/imagefetcher.go external/istio_new/pkg/wasm/imagefetcher.go
--- istio/pkg/wasm/imagefetcher.go 2023-03-19 17:56:55.238354950 +0800
+++ istio_new/pkg/wasm/imagefetcher.go 2023-03-19 17:56:40.630410241 +0800
@@ -176,12 +176,12 @@
return nil, fmt.Errorf("could not fetch layers: %v", err)
}
- // The image must be single-layered.
- if len(layers) != 1 {
- return nil, fmt.Errorf("number of layers must be 1 but got %d", len(layers))
+ // The image must have at least one layer.
+ if len(layers) == 0 {
+ return nil, fmt.Errorf("number of layers must be greater than zero")
}
- layer := layers[0]
+ layer := layers[len(layers)-1]
mt, err := layer.MediaType()
if err != nil {
return nil, fmt.Errorf("could not get media type: %v", err)

54
istio/1.12/patches/istio/20230408-ignore-ns.patch
View File

@@ -1,54 +0,0 @@
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go
--- istio/pilot/pkg/networking/core/v1alpha3/route/route.go 2023-04-08 16:02:02.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go 2023-04-07 18:19:20.000000000 +0800
@@ -1049,6 +1049,10 @@
out.QueryParameterMatchSpecifier = &route.QueryParameterMatcher_StringMatch{
StringMatch: &matcher.StringMatcher{MatchPattern: &matcher.StringMatcher_Exact{Exact: m.Exact}},
}
+ case *networking.StringMatch_Prefix:
+ out.QueryParameterMatchSpecifier = &route.QueryParameterMatcher_StringMatch{
+ StringMatch: &matcher.StringMatcher{MatchPattern: &matcher.StringMatcher_Prefix{Prefix: m.Prefix}},
+ }
case *networking.StringMatch_Regex:
out.QueryParameterMatchSpecifier = &route.QueryParameterMatcher_StringMatch{
StringMatch: &matcher.StringMatcher{
diff -Naur istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go istio-new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go
--- istio/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go 2023-04-08 16:02:02.000000000 +0800
+++ istio-new/pilot/pkg/serviceregistry/kube/controller/namespacecontroller.go 2023-04-08 14:35:57.000000000 +0800
@@ -16,6 +16,7 @@
import (
"fmt"
+ "os"
"time"
v1 "k8s.io/api/core/v1"
@@ -171,9 +172,16 @@
return k8s.InsertDataToConfigMap(nc.client, nc.configmapLister, meta, nc.caBundleWatcher.GetCABundle())
}
+var podNs = os.Getenv("POD_NAMESPACE")
+
// On namespace change, update the config map.
// If terminating, this will be skipped
func (nc *NamespaceController) namespaceChange(ns *v1.Namespace) {
+ // Added by ingress
+ if ns.Name != podNs {
+ return
+ }
+ // End added by ingress
if ns.Status.Phase != v1.NamespaceTerminating {
nc.syncNamespace(ns.Name)
}
@@ -186,6 +194,11 @@
log.Errorf("failed to convert to configmap: %v", err)
return
}
+ // Added by ingress
+ if cm.Namespace != podNs {
+ return
+ }
+ // End added by ingress
// This is a change to a configmap we don't watch, ignore it
if cm.Name != dynamicCACertNamespaceConfigMap {
return

30
istio/1.12/patches/istio/20230618-debug-api-anonymous.patch
View File

@@ -1,30 +0,0 @@
diff --color -Naur istio/pilot/pkg/features/pilot.go istio_new/pilot/pkg/features/pilot.go
--- istio/pilot/pkg/features/pilot.go 2023-06-18 20:13:57.715044832 +0800
+++ istio_new/pilot/pkg/features/pilot.go 2023-06-18 20:11:40.310406690 +0800
@@ -359,6 +359,9 @@
EnableUnsafeAdminEndpoints = env.RegisterBoolVar("UNSAFE_ENABLE_ADMIN_ENDPOINTS", false,
"If this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.").Get()
+ DebugAuth = env.RegisterBoolVar("DEBUG_AUTH", true,
+ "If this is set to false, the debug interface will allow all anonymous request from any remote host, which is not recommended for production").Get()
+
XDSAuth = env.RegisterBoolVar("XDS_AUTH", true,
"If true, will authenticate XDS clients.").Get()
diff --color -Naur istio/pilot/pkg/xds/debug.go istio_new/pilot/pkg/xds/debug.go
--- istio/pilot/pkg/xds/debug.go 2023-06-18 20:13:57.695044739 +0800
+++ istio_new/pilot/pkg/xds/debug.go 2023-06-18 20:11:40.286406579 +0800
@@ -218,8 +218,12 @@
if internalMux != nil {
internalMux.HandleFunc(path, handler)
}
+ handlerFunc := http.HandlerFunc(handler)
+ if features.DebugAuth {
+ handlerFunc = s.allowAuthenticatedOrLocalhost(handlerFunc)
+ }
// Add handler with auth; this is expose on an HTTP server
- mux.HandleFunc(path, s.allowAuthenticatedOrLocalhost(http.HandlerFunc(handler)))
+ mux.HandleFunc(path, handlerFunc)
}
func (s *DiscoveryServer) allowAuthenticatedOrLocalhost(next http.Handler) http.HandlerFunc {

15
istio/1.12/patches/istio/20230627-debug-fix-configz.patch
View File

@@ -1,15 +0,0 @@
diff -Naur istio/pilot/pkg/xds/debug.go istio-new/pilot/pkg/xds/debug.go
--- istio/pilot/pkg/xds/debug.go 2023-06-27 14:08:00.000000000 +0800
+++ istio-new/pilot/pkg/xds/debug.go 2023-06-27 14:07:04.000000000 +0800
@@ -469,6 +469,11 @@
s.Env.IstioConfigStore.Schemas().ForEach(func(schema collection.Schema) bool {
cfg, _ := s.Env.IstioConfigStore.List(schema.Resource().GroupVersionKind(), "")
// Added by ingress
+ copied := make([]config.Config, len(cfg))
+ for i := range copied {
+ copied[i] = cfg[i].DeepCopy()
+ }
+ cfg = copied
switch schema.Resource().GroupVersionKind().String() {
case gvk.Gateway.String():
cfg = model.GatewayFilter(cfg)

124
istio/1.12/patches/istio/20230815-multi-arch.patch
View File

@@ -1,124 +0,0 @@
diff -Naur istio/bin/init.sh istio-new/bin/init.sh
--- istio/bin/init.sh 2023-08-15 21:01:53.601636573 +0800
+++ istio-new/bin/init.sh 2023-08-15 21:04:56.144783484 +0800
@@ -151,7 +151,8 @@
# download_envoy_if_necessary "${ISTIO_ENVOY_LINUX_RELEASE_URL}" "$ISTIO_ENVOY_LINUX_RELEASE_PATH" "${SIDECAR}"
# download_envoy_if_necessary "${ISTIO_ENVOY_CENTOS_RELEASE_URL}" "$ISTIO_ENVOY_CENTOS_LINUX_RELEASE_PATH" "${SIDECAR}-centos"
-untar_envoy_if_necessary "${ENVOY_TAR_PATH}" "$ISTIO_ENVOY_LINUX_RELEASE_PATH" "${SIDECAR}"
+untar_envoy_if_necessary "${ENVOY_TAR_DIR}/envoy-arm64.tar.gz" "$ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH" "${SIDECAR}"
+untar_envoy_if_necessary "${ENVOY_TAR_DIR}/envoy-amd64.tar.gz" "$ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH" "${SIDECAR}"
if [[ "$GOOS_LOCAL" == "darwin" ]]; then
# Download and extract the Envoy macOS release binary
diff -Naur istio/common/scripts/run.sh istio-new/common/scripts/run.sh
--- istio/common/scripts/run.sh 2023-08-15 21:01:53.601636573 +0800
+++ istio-new/common/scripts/run.sh 2023-08-15 17:37:57.754600731 +0800
@@ -36,7 +36,7 @@
HUB="${HUB:-istio}"
MOUNT_SOURCE="${MOUNT_SOURCE:-${PWD}}"
-ENVOY_TAR_PATH="${ENVOY_TAR_PATH:-/home/package/envoy.tar.gz}"
+ENVOY_TAR_DIR="${ENVOY_TAR_DIR:-/home/package}"
MOUNT_DEST="${MOUNT_DEST:-/work}"
MOUNT_ROOT_SOURCE="${MOUNT_ROOT_SOURCE:-`cd $MOUNT_SOURCE/..;pwd`}"
MOUNT_PACKAGE_SOURCE="${MOUNT_PACKAGE_SOURCE:-`cd $MOUNT_SOURCE/../package;pwd`}"
@@ -61,7 +61,7 @@
-e TZ="${TIMEZONE:-$TZ}" \
-e GOPROXY="${GOPROXY}" \
-e HUB="${HUB}" \
- -e ENVOY_TAR_PATH="${ENVOY_TAR_PATH}" \
+ -e ENVOY_TAR_DIR="${ENVOY_TAR_DIR}" \
--mount "type=bind,source=${MOUNT_PACKAGE_SOURCE},destination=/home/package" \
--mount "type=bind,source=${MOUNT_SOURCE},destination=/work" \
--mount "type=bind,source=${MOUNT_ROOT_SOURCE}/..,destination=/parent" \
diff -Naur istio/common/scripts/setup_env.sh istio-new/common/scripts/setup_env.sh
--- istio/common/scripts/setup_env.sh 2023-08-15 21:01:53.601636573 +0800
+++ istio-new/common/scripts/setup_env.sh 2023-08-15 20:15:23.292391629 +0800
@@ -81,6 +81,9 @@
export TARGET_OUT="${TARGET_OUT:-$(pwd)/out/${TARGET_OS}_${TARGET_ARCH}}"
export TARGET_OUT_LINUX="${TARGET_OUT_LINUX:-$(pwd)/out/linux_${TARGET_ARCH}}"
+export ARM64_OUT_LINUX=/work/out/linux_arm64
+export AMD64_OUT_LINUX=/work/out/linux_amd64
+
export CONTAINER_TARGET_OUT="${CONTAINER_TARGET_OUT:-/work/out/${TARGET_OS}_${TARGET_ARCH}}"
export CONTAINER_TARGET_OUT_LINUX="${CONTAINER_TARGET_OUT_LINUX:-/work/out/linux_${TARGET_ARCH}}"
diff -Naur istio/Makefile.core.mk istio-new/Makefile.core.mk
--- istio/Makefile.core.mk 2023-08-15 21:01:53.601636573 +0800
+++ istio-new/Makefile.core.mk 2023-08-15 20:03:25.384280274 +0800
@@ -150,6 +150,11 @@
export ISTIO_ENVOY_CENTOS_LINUX_RELEASE_NAME ?= envoy-centos-${ISTIO_ENVOY_LINUX_VERSION}
export ISTIO_ENVOY_CENTOS_LINUX_RELEASE_PATH ?= ${ISTIO_ENVOY_LINUX_RELEASE_DIR}/${ISTIO_ENVOY_CENTOS_LINUX_RELEASE_NAME}
+export ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR ?= ${ARM64_OUT_LINUX}/release
+export ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH ?= ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${ISTIO_ENVOY_LINUX_RELEASE_NAME}
+export ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR ?= ${AMD64_OUT_LINUX}/release
+export ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH ?= ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${ISTIO_ENVOY_LINUX_RELEASE_NAME}
+
# Envoy macOS vars.
# TODO Change url when official envoy release for macOS is available
export ISTIO_ENVOY_MACOS_VERSION ?= 1.0.2
@@ -240,6 +245,8 @@
${ISTIO_ENVOY_LINUX_DEBUG_PATH}: init
${ISTIO_ENVOY_LINUX_RELEASE_PATH}: init
${ISTIO_ENVOY_MACOS_RELEASE_PATH}: init
+${ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH}: init
+${ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH}: init
# Pull dependencies, based on the checked in Gopkg.lock file.
# Developers must manually run `dep ensure` if adding new deps
@@ -312,8 +319,8 @@
# various platform images.
.PHONY: build-linux
build-linux: depend
- GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) common/scripts/gobuild.sh $(ISTIO_OUT_LINUX)/ $(STANDARD_BINARIES)
- GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) common/scripts/gobuild.sh $(ISTIO_OUT_LINUX)/ -tags=agent $(AGENT_BINARIES)
+ GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) GOBUILDFLAGS='-buildvcs=false' common/scripts/gobuild.sh $(ISTIO_OUT_LINUX)/ $(STANDARD_BINARIES)
+ GOOS=linux GOARCH=$(GOARCH_LOCAL) LDFLAGS=$(RELEASE_LDFLAGS) GOBUILDFLAGS='-buildvcs=false' common/scripts/gobuild.sh $(ISTIO_OUT_LINUX)/ -tags=agent $(AGENT_BINARIES)
# Create targets for ISTIO_OUT_LINUX/binary
# There are two use cases here:
diff -Naur istio/tools/istio-docker.mk istio-new/tools/istio-docker.mk
--- istio/tools/istio-docker.mk 2023-08-15 21:01:53.621637356 +0800
+++ istio-new/tools/istio-docker.mk 2023-08-15 20:02:11.881402098 +0800
@@ -77,6 +77,14 @@
${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_PATH}
cp ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_PATH} ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json
+${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}: ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH}
+ mkdir -p $(DOCKER_BUILD_TOP)/proxyv2
+ cp ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_PATH} ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}
+
+${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}: ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH}
+ mkdir -p $(DOCKER_BUILD_TOP)/proxyv2
+ cp ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_PATH} ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}
+
# rule for wasm extensions.
$(ISTIO_ENVOY_LINUX_RELEASE_DIR)/stats-filter.wasm: init
$(ISTIO_ENVOY_LINUX_RELEASE_DIR)/stats-filter.compiled.wasm: init
@@ -88,7 +96,8 @@
docker.proxyv2: BUILD_ARGS=--build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} --build-arg istio_version=${VERSION} --build-arg BASE_VERSION=${BASE_VERSION} --build-arg SIDECAR=${SIDECAR} --build-arg HUB=${HUB}
docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json
docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/gcp_envoy_bootstrap.json
-docker.proxyv2: $(ISTIO_ENVOY_LINUX_RELEASE_DIR)/${SIDECAR}
+docker.proxyv2: ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}
+docker.proxyv2: ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}
docker.proxyv2: $(ISTIO_OUT_LINUX)/pilot-agent
docker.proxyv2: pilot/docker/Dockerfile.proxyv2
# docker.proxyv2: $(ISTIO_ENVOY_LINUX_RELEASE_DIR)/stats-filter.wasm
@@ -324,7 +333,13 @@
# This can be done with DOCKER_BUILD_VARIANTS="default debug" as well, but at the expense of building twice vs building once and tagging twice
INCLUDE_UNTAGGED_DEFAULT ?= false
DEFAULT_DISTRIBUTION=debug
+
+
+ifeq ($(BUILDX_PLATFORM), true)
+DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./tools/docker-copy.sh $^ $(DOCKER_BUILD_TOP)/$@ && cd $(DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker buildx create --use && docker buildx build --no-cache --platform linux/amd64,linux/arm64 $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/$(subst docker.,,$@):$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile$(suffix $@) . --push ); )
+else
DOCKER_RULE ?= $(foreach VARIANT,$(DOCKER_BUILD_VARIANTS), time (mkdir -p $(DOCKER_BUILD_TOP)/$@ && TARGET_ARCH=$(TARGET_ARCH) ./tools/docker-copy.sh $^ $(DOCKER_BUILD_TOP)/$@ && cd $(DOCKER_BUILD_TOP)/$@ $(BUILD_PRE) && docker build $(BUILD_ARGS) --build-arg BASE_DISTRIBUTION=$(call normalize-tag,$(VARIANT)) -t $(HUB)/$(subst docker.,,$@):$(TAG)$(call variant-tag,$(VARIANT)) -f Dockerfile$(suffix $@) . ); )
+endif
RENAME_TEMPLATE ?= mkdir -p $(DOCKER_BUILD_TOP)/$@ && cp $(ECHO_DOCKER)/$(VM_OS_DOCKERFILE_TEMPLATE) $(DOCKER_BUILD_TOP)/$@/Dockerfile$(suffix $@)
# This target will package all docker images used in test and release, without re-building

14
istio/1.12/patches/istio/20230922-gateway-class.patch
View File

@@ -1,14 +0,0 @@
diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio_new/pilot/pkg/config/kube/gateway/conversion.go
--- istio/pilot/pkg/config/kube/gateway/conversion.go 2023-09-22 11:06:50.400535200 +0800
+++ istio_new/pilot/pkg/config/kube/gateway/conversion.go 2023-09-22 11:07:52.954982700 +0800
@@ -37,8 +37,8 @@
)
const (
- DefaultClassName = "istio"
- ControllerName = "istio.io/gateway-controller"
+ DefaultClassName = "higress"
+ ControllerName = "higress.io/gateway-controller"
)
// KubernetesResources stores all inputs to our conversion

71
istio/1.12/patches/istio/20230925-gateway-httproute.patch
View File

@@ -1,71 +0,0 @@
diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
--- istio/pilot/pkg/config/kube/gateway/conversion.go 2023-09-25 17:26:32.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go 2023-09-25 17:25:27.000000000 +0800
@@ -656,6 +656,16 @@
Port: &istio.PortSelector{Number: uint32(*to.Port)},
}, nil
}
+ if equal((*string)(to.Group), "networking.higress.io") && nilOrEqual((*string)(to.Kind), "Service") {
+ var port *istio.PortSelector
+ if to.Port != nil {
+ port = &istio.PortSelector{Number: uint32(*to.Port)}
+ }
+ return &istio.Destination{
+ Host: string(to.Name),
+ Port: port,
+ }, nil
+ }
return nil, &ConfigError{
Reason: InvalidDestination,
Message: fmt.Sprintf("referencing unsupported backendRef: group %q kind %q", emptyIfNil((*string)(to.Group)), emptyIfNil((*string)(to.Kind))),
@@ -912,7 +922,7 @@
ObservedGeneration: obj.Generation,
LastTransitionTime: metav1.Now(),
Reason: string(k8s.GatewayClassConditionStatusAccepted),
- Message: "Handled by Istio controller",
+ Message: "Handled by Higress controller",
})
return gcs
})
@@ -1371,6 +1381,10 @@
return d
}
+func equal(have *string, expected string) bool {
+ return have != nil && *have == expected
+}
+
func nilOrEqual(have *string, expected string) bool {
return have == nil || *have == expected
}
diff -Naur istio/pilot/pkg/leaderelection/leaderelection.go istio-new/pilot/pkg/leaderelection/leaderelection.go
--- istio/pilot/pkg/leaderelection/leaderelection.go 2023-09-25 17:26:31.000000000 +0800
+++ istio-new/pilot/pkg/leaderelection/leaderelection.go 2023-09-25 14:59:39.000000000 +0800
@@ -35,20 +35,20 @@
// Various locks used throughout the code
const (
- NamespaceController = "istio-namespace-controller-election"
- ServiceExportController = "istio-serviceexport-controller-election"
+ NamespaceController = "higress-namespace-controller-election"
+ ServiceExportController = "higress-serviceexport-controller-election"
// This holds the legacy name to not conflict with older control plane deployments which are just
// doing the ingress syncing.
- IngressController = "istio-leader"
+ IngressController = "higress-leader"
// GatewayStatusController controls the status of gateway.networking.k8s.io objects. For the v1alpha1
// this was formally "istio-gateway-leader"; because they are a different API group we need a different
// election to ensure we do not only handle one or the other.
- GatewayStatusController = "istio-gateway-status-leader"
+ GatewayStatusController = "higress-gateway-status-leader"
// GatewayDeploymentController controls the Deployment/Service generation from Gateways. This is
// separate from GatewayStatusController to allow running in a separate process (for low priv).
- GatewayDeploymentController = "istio-gateway-deployment-leader"
- StatusController = "istio-status-leader"
- AnalyzeController = "istio-analyze-leader"
+ GatewayDeploymentController = "higress-gateway-deployment-leader"
+ StatusController = "higress-status-leader"
+ AnalyzeController = "higress-analyze-leader"
)
var ClusterScopedNamespaceController = NamespaceController

90
istio/1.12/patches/istio/20231008-gateway-fallback.patch
View File

@@ -1,90 +0,0 @@
diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
--- istio/pilot/pkg/config/kube/gateway/conversion.go 2023-10-08 19:54:47.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go 2023-09-27 16:10:42.000000000 +0800
@@ -18,6 +18,7 @@
"fmt"
"regexp"
"sort"
+ "strconv"
"strings"
corev1 "k8s.io/api/core/v1"
@@ -176,7 +177,9 @@
hosts := hostnameToStringList(route.Hostnames)
for _, r := range route.Rules {
// TODO: implement rewrite, timeout, mirror, corspolicy, retries
- vs := &istio.HTTPRoute{}
+ vs := &istio.HTTPRoute{
+ Name: obj.Name,
+ }
for _, match := range r.Matches {
uri, err := createURIMatch(match)
if err != nil {
@@ -246,7 +249,9 @@
}}
}
- route, err := buildHTTPDestination(r.BackendRefs, obj.Namespace, domain, zero)
+ fallbackCluster := obj.Annotations["higress.io/fallback-service"]
+
+ route, err := buildHTTPDestination(r.BackendRefs, obj.Namespace, domain, zero, fallbackCluster)
if err != nil {
reportError(err)
return nil
@@ -581,11 +586,33 @@
return r
}
-func buildHTTPDestination(forwardTo []k8s.HTTPBackendRef, ns string, domain string, totalZero bool) ([]*istio.HTTPRouteDestination, *ConfigError) {
+func buildHTTPDestination(forwardTo []k8s.HTTPBackendRef, ns string, domain string, totalZero bool, fallbackCluster string) ([]*istio.HTTPRouteDestination, *ConfigError) {
if forwardTo == nil {
return nil, nil
}
+ var fallbackDest *istio.Destination
+ if fallbackCluster != "" {
+ var port uint64
+ host := fallbackCluster
+ colon := strings.LastIndex(fallbackCluster, ":")
+ if colon != -1 {
+ var err error
+ port, err = strconv.ParseUint(fallbackCluster[colon+1:], 10, 32)
+ if err == nil && port > 0 && port < 65536 {
+ host = fallbackCluster[:colon]
+ }
+ }
+ fallbackDest = &istio.Destination{
+ Host: host,
+ }
+ if port > 0 {
+ fallbackDest.Port = &istio.PortSelector{
+ Number: uint32(port),
+ }
+ }
+ }
+
weights := []int{}
action := []k8s.HTTPBackendRef{}
for i, w := range forwardTo {
@@ -612,6 +639,9 @@
Destination: dst,
Weight: int32(weights[i]),
}
+ if fallbackDest != nil {
+ rd.FallbackClusters = append(rd.FallbackClusters, fallbackDest)
+ }
for _, filter := range fwd.Filters {
switch filter.Type {
case k8s.HTTPRouteFilterRequestHeaderModifier:
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go
--- istio/pilot/pkg/networking/core/v1alpha3/route/route.go 2023-10-08 19:54:46.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go 2023-09-27 16:18:16.000000000 +0800
@@ -669,7 +669,7 @@
}
var singleClusterConfig *fallback.ClusterFallbackConfig
var weightedClusterConfig *fallback.ClusterFallbackConfig
- isSupportFallback := supportFallback(node)
+ isSupportFallback := true
// Added by ingress
if len(in.Route) == 1 {
route := in.Route[0]

13
istio/1.12/patches/istio/20231024-cds-add-fallback.patch
View File

@@ -1,13 +0,0 @@
diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
--- istio/pilot/pkg/model/push_context.go 2023-10-24 10:55:51.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go 2023-10-20 17:00:06.000000000 +0800
@@ -704,6 +704,9 @@
if r.Destination != nil {
out = append(out, r.Destination.Host)
}
+ for _, d := range r.FallbackClusters {
+ out = append(out, d.Host)
+ }
}
if h.Mirror != nil {
out = append(out, h.Mirror.Host)

2202
istio/1.12/patches/istio/20231031-gatewayapi-v1beta1.patch
View File

File diff suppressed because it is too large Load Diff

377
istio/1.12/patches/istio/20231103-gatewayapi-sort.patch
View File

@@ -1,377 +0,0 @@
diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
--- istio/pilot/pkg/config/kube/gateway/conversion.go 2023-11-03 17:18:56.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go 2023-11-03 17:14:50.000000000 +0800
@@ -151,15 +151,113 @@
}
}
+ // for gateway routes, build one VS per gateway+host
+ gatewayRoutes := make(map[string]map[string]*config.Config)
+
for _, obj := range r.HTTPRoute {
- if vsConfig := buildHTTPVirtualServices(obj, gatewayMap, r.Domain); vsConfig != nil {
+ buildHTTPVirtualServices(r, obj, gatewayMap, gatewayRoutes, r.Domain)
+ }
+ for _, vsByHost := range gatewayRoutes {
+ for _, vsConfig := range vsByHost {
result = append(result, *vsConfig)
}
}
return result
}
-func buildHTTPVirtualServices(obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, domain string) *config.Config {
+// getURIRank ranks a URI match type. Exact > Prefix > Regex
+func getURIRank(match *istio.HTTPMatchRequest) int {
+ if match.Uri == nil {
+ return -1
+ }
+ switch match.Uri.MatchType.(type) {
+ case *istio.StringMatch_Exact:
+ return 3
+ case *istio.StringMatch_Prefix:
+ return 2
+ case *istio.StringMatch_Regex:
+ // TODO optimize in new verison envoy
+ if strings.HasSuffix(match.Uri.GetRegex(), prefixMatchRegex) &&
+ !strings.ContainsAny(strings.TrimSuffix(match.Uri.GetRegex(), prefixMatchRegex), `\.+*?()|[]{}^$`) {
+ return 2
+ }
+ return 1
+ }
+ // should not happen
+ return -1
+}
+
+func getURILength(match *istio.HTTPMatchRequest) int {
+ if match.Uri == nil {
+ return 0
+ }
+ switch match.Uri.MatchType.(type) {
+ case *istio.StringMatch_Prefix:
+ return len(match.Uri.GetPrefix())
+ case *istio.StringMatch_Exact:
+ return len(match.Uri.GetExact())
+ case *istio.StringMatch_Regex:
+ return len(match.Uri.GetRegex())
+ }
+ // should not happen
+ return -1
+}
+
+// sortHTTPRoutes sorts generated vs routes to meet gateway-api requirements
+// see https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRouteRule
+func sortHTTPRoutes(routes []*istio.HTTPRoute) {
+ sort.SliceStable(routes, func(i, j int) bool {
+ if len(routes[i].Match) == 0 {
+ return false
+ } else if len(routes[j].Match) == 0 {
+ return true
+ }
+ // Only look at match[0], we always generate only one match
+ m1, m2 := routes[i].Match[0], routes[j].Match[0]
+ r1, r2 := getURIRank(m1), getURIRank(m2)
+ len1, len2 := getURILength(m1), getURILength(m2)
+ switch {
+ // 1: Exact/Prefix/Regex
+ case r1 != r2:
+ return r1 > r2
+ case len1 != len2:
+ return len1 > len2
+ // 2: method math
+ case (m1.Method == nil) != (m2.Method == nil):
+ return m1.Method != nil
+ // 3: number of header matches
+ case len(m1.Headers) != len(m2.Headers):
+ return len(m1.Headers) > len(m2.Headers)
+ // 4: number of query matches
+ default:
+ return len(m1.QueryParams) > len(m2.QueryParams)
+ }
+ })
+}
+
+func routeMeta(obj config.Config) map[string]string {
+ m := parentMeta(obj, nil)
+ m[constants.InternalRouteSemantics] = constants.RouteSemanticsGateway
+ return m
+}
+
+func filteredReferences(parents []routeParentReference) []routeParentReference {
+ ret := make([]routeParentReference, 0, len(parents))
+ for _, p := range parents {
+ if p.DeniedReason != nil {
+ // We should filter this out
+ continue
+ }
+ ret = append(ret, p)
+ }
+ // To ensure deterministic order, sort them
+ sort.Slice(ret, func(i, j int) bool {
+ return ret[i].InternalName < ret[j].InternalName
+ })
+ return ret
+}
+
+func buildHTTPVirtualServices(ctx *KubernetesResources, obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, gatewayRoutes map[string]map[string]*config.Config, domain string) {
route := obj.Spec.(*gatewayapiV1beta1.HTTPRouteSpec)
parentRefs := extractParentReferenceInfo(gateways, route.ParentRefs, route.Hostnames, gvk.HTTPRoute, obj.Namespace)
@@ -172,10 +270,7 @@
})
}
- name := fmt.Sprintf("%s-%s", obj.Name, constants.KubernetesGatewayName)
-
httproutes := []*istio.HTTPRoute{}
- hosts := hostnameToStringList(route.Hostnames)
for _, r := range route.Rules {
// TODO: implement rewrite, timeout, mirror, corspolicy, retries
vs := &istio.HTTPRoute{
@@ -185,22 +280,22 @@
uri, err := createURIMatch(match)
if err != nil {
reportError(err)
- return nil
+ return
}
headers, err := createHeadersMatch(match)
if err != nil {
reportError(err)
- return nil
+ return
}
qp, err := createQueryParamsMatch(match)
if err != nil {
reportError(err)
- return nil
+ return
}
method, err := createMethodMatch(match)
if err != nil {
reportError(err)
- return nil
+ return
}
vs.Match = append(vs.Match, &istio.HTTPMatchRequest{
Uri: uri,
@@ -219,7 +314,7 @@
mirror, err := createMirrorFilter(filter.RequestMirror, obj.Namespace, domain)
if err != nil {
reportError(err)
- return nil
+ return
}
vs.Mirror = mirror
default:
@@ -227,7 +322,7 @@
Reason: InvalidFilter,
Message: fmt.Sprintf("unsupported filter type %q", filter.Type),
})
- return nil
+ return
}
}
@@ -255,33 +350,65 @@
route, err := buildHTTPDestination(r.BackendRefs, obj.Namespace, domain, zero, fallbackCluster)
if err != nil {
reportError(err)
- return nil
+ return
}
vs.Route = route
httproutes = append(httproutes, vs)
}
reportError(nil)
- gatewayNames := referencesToInternalNames(parentRefs)
- if len(gatewayNames) == 0 {
- return nil
+
+ count := 0
+ for _, parent := range filteredReferences(parentRefs) {
+ // for gateway routes, build one VS per gateway+host
+ routeMap := gatewayRoutes
+ routeKey := parent.InternalName
+ vsHosts := hostnameToStringList(route.Hostnames)
+ routes := httproutes
+ if len(routes) == 0 {
+ continue
+ }
+ if _, f := routeMap[routeKey]; !f {
+ routeMap[routeKey] = make(map[string]*config.Config)
+ }
+
+ // Create one VS per hostname with a single hostname.
+ // This ensures we can treat each hostname independently, as the spec requires
+ for _, h := range vsHosts {
+ if cfg := routeMap[routeKey][h]; cfg != nil {
+ // merge http routes
+ vs := cfg.Spec.(*istio.VirtualService)
+ vs.Http = append(vs.Http, routes...)
+ // append parents
+ cfg.Annotations[constants.InternalParentNames] = fmt.Sprintf("%s,%s/%s.%s",
+ cfg.Annotations[constants.InternalParentNames], obj.GroupVersionKind.Kind, obj.Name, obj.Namespace)
+ } else {
+ name := fmt.Sprintf("%s-%d-%s", obj.Name, count, constants.KubernetesGatewayName)
+ routeMap[routeKey][h] = &config.Config{
+ Meta: config.Meta{
+ CreationTimestamp: obj.CreationTimestamp,
+ GroupVersionKind: gvk.VirtualService,
+ Name: name,
+ Annotations: routeMeta(obj),
+ Namespace: obj.Namespace,
+ Domain: ctx.Domain,
+ },
+ Spec: &istio.VirtualService{
+ Hosts: []string{h},
+ Gateways: []string{parent.InternalName},
+ Http: routes,
+ },
+ }
+ count++
+ }
+ }
}
- vsConfig := config.Config{
- Meta: config.Meta{
- CreationTimestamp: obj.CreationTimestamp,
- GroupVersionKind: gvk.VirtualService,
- Name: name,
- Annotations: parentMeta(obj, nil),
- Namespace: obj.Namespace,
- Domain: domain,
- },
- Spec: &istio.VirtualService{
- Hosts: hosts,
- Gateways: gatewayNames,
- Http: httproutes,
- },
+ for _, vsByHost := range gatewayRoutes {
+ for _, cfg := range vsByHost {
+ vs := cfg.Spec.(*istio.VirtualService)
+ sortHTTPRoutes(vs.Http)
+ }
}
- return &vsConfig
}
func parentMeta(obj config.Config, sectionName *gatewayapiV1beta1.SectionName) map[string]string {
@@ -1155,9 +1282,11 @@
}
gs.Addresses = make([]gatewayapiV1beta1.GatewayAddress, 0, len(addressesToReport))
for _, addr := range addressesToReport {
+ addrPairs := strings.Split(addr, ":")
gs.Addresses = append(gs.Addresses, gatewayapiV1beta1.GatewayAddress{
- Type: &addrType,
- Value: addr,
+ Type: &addrType,
+ // strip the port
+ Value: addrPairs[0],
})
}
return gs
diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
--- istio/pilot/pkg/model/push_context.go 2023-11-03 17:18:56.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go 2023-11-03 17:05:47.000000000 +0800
@@ -841,7 +841,19 @@
func (ps *PushContext) VirtualServicesForGateway(proxy *Proxy, gateway string) []config.Config {
res := ps.virtualServiceIndex.privateByNamespaceAndGateway[proxy.ConfigNamespace][gateway]
res = append(res, ps.virtualServiceIndex.exportedToNamespaceByGateway[proxy.ConfigNamespace][gateway]...)
- res = append(res, ps.virtualServiceIndex.publicByGateway[gateway]...)
+
+ // Favor same-namespace Gateway routes, to give the "consumer override" preference.
+ // We do 2 iterations here to avoid extra allocations.
+ for _, vs := range ps.virtualServiceIndex.publicByGateway[gateway] {
+ if UseGatewaySemantics(vs) && vs.Namespace == proxy.ConfigNamespace {
+ res = append(res, vs)
+ }
+ }
+ for _, vs := range ps.virtualServiceIndex.publicByGateway[gateway] {
+ if !(UseGatewaySemantics(vs) && vs.Namespace == proxy.ConfigNamespace) {
+ res = append(res, vs)
+ }
+ }
return res
}
diff -Naur istio/pilot/pkg/model/virtualservice.go istio-new/pilot/pkg/model/virtualservice.go
--- istio/pilot/pkg/model/virtualservice.go 2023-11-03 17:18:55.000000000 +0800
+++ istio-new/pilot/pkg/model/virtualservice.go 2023-11-03 15:19:08.000000000 +0800
@@ -76,6 +76,11 @@
}
func resolveVirtualServiceShortnames(rule *networking.VirtualService, meta config.Meta) {
+ // Kubernetes Gateway API semantics support shortnames
+ // if UseGatewaySemantics(config.Config{Meta: meta}) {
+ // return
+ // }
+
// resolve top level hosts
for i, h := range rule.Hosts {
rule.Hosts[i] = string(ResolveShortnameToFQDN(h, meta))
@@ -524,3 +529,10 @@
}
return false
}
+
+// UseGatewaySemantics determines which logic we should use for VirtualService
+// This allows gateway-api and VS to both be represented by VirtualService, but have different
+// semantics.
+func UseGatewaySemantics(cfg config.Config) bool {
+ return cfg.Annotations[constants.InternalRouteSemantics] == constants.RouteSemanticsGateway
+}
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go
--- istio/pilot/pkg/networking/core/v1alpha3/route/route.go 2023-11-03 17:18:56.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route.go 2023-11-03 17:05:55.000000000 +0800
@@ -408,7 +408,6 @@
break
}
}
-
if len(out) == 0 {
return nil, fmt.Errorf("no routes matched")
}
@@ -493,6 +492,14 @@
},
}
+ if model.UseGatewaySemantics(virtualService) {
+ if uri, isPrefixReplace := cutPrefix(redirect.Uri, "%PREFIX()%"); isPrefixReplace {
+ action.Redirect.PathRewriteSpecifier = &route.RedirectAction_PrefixRewrite{
+ PrefixRewrite: uri,
+ }
+ }
+ }
+
if redirect.Scheme != "" {
action.Redirect.SchemeRewriteSpecifier = &route.RedirectAction_SchemeRedirect{SchemeRedirect: redirect.Scheme}
}
@@ -1616,3 +1623,10 @@
isSupport = curVersion.GreaterThan(notSupportFallback)
return
}
+
+func cutPrefix(s, prefix string) (after string, found bool) {
+ if !strings.HasPrefix(s, prefix) {
+ return s, false
+ }
+ return s[len(prefix):], true
+}
diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
--- istio/pkg/config/constants/constants.go 2023-11-03 17:18:54.000000000 +0800
+++ istio-new/pkg/config/constants/constants.go 2023-11-03 14:29:27.000000000 +0800
@@ -15,6 +15,12 @@
package constants
const (
+ InternalParentNames = "internal.istio.io/parents"
+
+ InternalRouteSemantics = "internal.istio.io/route-semantics"
+
+ RouteSemanticsGateway = "gateway"
+
// UnspecifiedIP constant for empty IP address
UnspecifiedIP = "0.0.0.0"

50
istio/1.12/patches/istio/20231104-gatewayapi-catchall.patch
View File

@@ -1,50 +0,0 @@
diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
--- istio/pilot/pkg/config/kube/gateway/conversion.go 2023-11-03 20:09:38.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go 2023-11-03 20:02:26.000000000 +0800
@@ -165,6 +165,34 @@
return result
}
+// isCatchAll returns true if HTTPMatchRequest is a catchall match otherwise
+// false. Note - this may not be exactly "catch all" as we don't know the full
+// class of possible inputs As such, this is used only for optimization.
+func isCatchAllMatch(m *istio.HTTPMatchRequest) bool {
+ catchall := false
+ if m.Uri != nil {
+ switch m := m.Uri.MatchType.(type) {
+ case *istio.StringMatch_Prefix:
+ catchall = m.Prefix == "/"
+ case *istio.StringMatch_Regex:
+ catchall = m.Regex == "*"
+ }
+ }
+ // A Match is catch all if and only if it has no match set
+ // and URI has a prefix / or regex *.
+ return catchall &&
+ len(m.Headers) == 0 &&
+ len(m.QueryParams) == 0 &&
+ len(m.SourceLabels) == 0 &&
+ len(m.WithoutHeaders) == 0 &&
+ len(m.Gateways) == 0 &&
+ m.Method == nil &&
+ m.Scheme == nil &&
+ m.Port == 0 &&
+ m.Authority == nil &&
+ m.SourceNamespace == ""
+}
+
// getURIRank ranks a URI match type. Exact > Prefix > Regex
func getURIRank(match *istio.HTTPMatchRequest) int {
if match.Uri == nil {
@@ -212,6 +240,11 @@
} else if len(routes[j].Match) == 0 {
return true
}
+ if isCatchAllMatch(routes[i].Match[0]) {
+ return false
+ } else if isCatchAllMatch(routes[j].Match[0]) {
+ return true
+ }
// Only look at match[0], we always generate only one match
m1, m2 := routes[i].Match[0], routes[j].Match[0]
r1, r2 := getURIRank(m1), getURIRank(m2)

62
istio/1.12/patches/istio/20231115-optimize-xds-push.patch
View File

@@ -1,62 +0,0 @@
diff -Naur istio/pilot/pkg/xds/ads.go istio-new/pilot/pkg/xds/ads.go
--- istio/pilot/pkg/xds/ads.go 2023-11-15 20:25:18.000000000 +0800
+++ istio-new/pilot/pkg/xds/ads.go 2023-11-15 20:24:20.000000000 +0800
@@ -318,6 +318,27 @@
<-con.initialized
for {
+ // Go select{} statements are not ordered; the same channel can be chosen many times.
+ // For requests, these are higher priority (client may be blocked on startup until these are done)
+ // and often very cheap to handle (simple ACK), so we check it first.
+ select {
+ case req, ok := <-con.reqChan:
+ if ok {
+ if err := s.processRequest(req, con); err != nil {
+ return err
+ }
+ } else {
+ // Remote side closed connection or error processing the request.
+ return <-con.errorChan
+ }
+ case <-con.stop:
+ return nil
+ default:
+ }
+ // If there wasn't already a request, poll for requests and pushes. Note: if we have a huge
+ // amount of incoming requests, we may still send some pushes, as we do not `continue` above;
+ // however, requests will be handled ~2x as much as pushes. This ensures a wave of requests
+ // cannot completely starve pushes. However, this scenario is unlikely.
select {
case req, ok := <-con.reqChan:
if ok {
diff -Naur istio/pilot/pkg/xds/delta.go istio-new/pilot/pkg/xds/delta.go
--- istio/pilot/pkg/xds/delta.go 2023-11-15 20:25:18.000000000 +0800
+++ istio-new/pilot/pkg/xds/delta.go 2023-11-15 20:24:44.000000000 +0800
@@ -102,6 +102,27 @@
<-con.initialized
for {
+ // Go select{} statements are not ordered; the same channel can be chosen many times.
+ // For requests, these are higher priority (client may be blocked on startup until these are done)
+ // and often very cheap to handle (simple ACK), so we check it first.
+ select {
+ case req, ok := <-con.deltaReqChan:
+ if ok {
+ if err := s.processDeltaRequest(req, con); err != nil {
+ return err
+ }
+ } else {
+ // Remote side closed connection or error processing the request.
+ return <-con.errorChan
+ }
+ case <-con.stop:
+ return nil
+ default:
+ }
+ // If there wasn't already a request, poll for requests and pushes. Note: if we have a huge
+ // amount of incoming requests, we may still send some pushes, as we do not `continue` above;
+ // however, requests will be handled ~2x as much as pushes. This ensures a wave of requests
+ // cannot completely starve pushes. However, this scenario is unlikely.
select {
case req, ok := <-con.deltaReqChan:
if ok {

633
istio/1.12/patches/istio/20240104-enhance-srds.patch
View File

@@ -1,633 +0,0 @@
diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
--- istio/pilot/pkg/features/pilot.go 2024-01-05 17:58:08.000000000 +0800
+++ istio-new/pilot/pkg/features/pilot.go 2024-01-04 21:20:00.000000000 +0800
@@ -569,6 +569,12 @@
// Added by ingress
CustomCACertConfigMapName = env.RegisterStringVar("CUSTOM_CA_CERT_NAME", "",
"Defines the configmap's name of istio's root ca certificate").Get()
+ HostRDSMergeSubset = env.RegisterBoolVar("HOST_RDS_MERGE_SUBSET", true,
+ "If enabled, if host A is a subset of B, then we merge B's routes into A's hostRDS").Get()
+ EnableScopedRDS = env.RegisterBoolVar("ENBALE_SCOPED_RDS", true,
+ "If enabled, each host in virtualservice will have an independent RDS, which is used with SRDS").Get()
+ OnDemandRDS = env.RegisterBoolVar("ON_DEMAND_RDS", false,
+ "If enabled, the on demand filter will be added to the HCM filters").Get()
// End added by ingress
)
diff -Naur istio/pilot/pkg/networking/core/configgen.go istio-new/pilot/pkg/networking/core/configgen.go
--- istio/pilot/pkg/networking/core/configgen.go 2024-01-05 17:58:02.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/configgen.go 2024-01-04 21:20:00.000000000 +0800
@@ -17,6 +17,7 @@
import (
core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+ route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
meshconfig "istio.io/api/mesh/v1alpha1"
@@ -44,6 +45,10 @@
// BuildHTTPRoutes returns the list of HTTP routes for the given proxy. This is the RDS output
BuildHTTPRoutes(node *model.Proxy, req *model.PushRequest, routeNames []string) ([]*discovery.Resource, model.XdsLogDetails)
+ // Added by ingress
+ BuildScopedRoutes(node *model.Proxy, push *model.PushContext) []*route.ScopedRouteConfiguration
+ // End added by ingress
+
// BuildNameTable returns list of hostnames and the associated IPs
BuildNameTable(node *model.Proxy, push *model.PushContext) *dnsProto.NameTable
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-01-05 17:58:07.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-01-05 11:19:54.000000000 +0800
@@ -41,7 +41,9 @@
"istio.io/istio/pilot/pkg/networking/plugin"
"istio.io/istio/pilot/pkg/networking/util"
authn_model "istio.io/istio/pilot/pkg/security/model"
+ "istio.io/istio/pilot/pkg/util/sets"
"istio.io/istio/pkg/config"
+ "istio.io/istio/pkg/config/constants"
"istio.io/istio/pkg/config/gateway"
"istio.io/istio/pkg/config/host"
"istio.io/istio/pkg/config/protocol"
@@ -104,10 +106,15 @@
// We can also have QUIC on a given port along with HTTPS/TLS on a given port. It does not
// cause port-conflict as they use different transport protocols
opts := &buildListenerOpts{
- push: builder.push,
- proxy: builder.node,
- bind: bind,
- port: &model.Port{Port: int(port.Number)},
+ push: builder.push,
+ proxy: builder.node,
+ bind: bind,
+ port: &model.Port{
+ Port: int(port.Number),
+ // Added by ingress
+ Protocol: protocol.Parse(port.Protocol),
+ // End added by ingress
+ },
bindToPort: true,
class: istionetworking.ListenerClassGateway,
transport: transport,
@@ -340,6 +347,269 @@
return nameToServiceMap
}
+// Added by ingress
+func (configgen *ConfigGeneratorImpl) BuildScopedRoutes(node *model.Proxy, push *model.PushContext) []*route.ScopedRouteConfiguration {
+ if node.MergedGateway == nil {
+ log.Warnf("buildScopedRoutes: no gateways for router %v", node.ID)
+ return nil
+ }
+ merged := node.MergedGateway
+ var out []*route.ScopedRouteConfiguration
+ gatewayVirtualServices := make(map[string][]config.Config)
+ serverIterator := func(listenerPort int, mergedServers map[model.ServerPort]*model.MergedServers) sets.Set {
+ hostSet := sets.NewSet()
+ for port, servers := range mergedServers {
+ if port.Number != uint32(listenerPort) {
+ continue
+ }
+ for _, server := range servers.Servers {
+ gatewayName := merged.GatewayNameForServer[server]
+
+ var virtualServices []config.Config
+ var exists bool
+
+ if virtualServices, exists = gatewayVirtualServices[gatewayName]; !exists {
+ virtualServices = push.VirtualServicesForGateway(node, gatewayName)
+ gatewayVirtualServices[gatewayName] = virtualServices
+ }
+ for _, virtualService := range virtualServices {
+ for _, host := range virtualService.Spec.(*networking.VirtualService).Hosts {
+ hostSet.Insert(host)
+ }
+ }
+ }
+ }
+ return hostSet
+ }
+ buildPortHostScopedRoute := func(listenerPort model.ServerPort) {
+ p := protocol.Parse(listenerPort.Protocol)
+ if !p.IsHTTP() && p != protocol.HTTPS {
+ return
+ }
+ port := strconv.Itoa(int(listenerPort.Number))
+ hostSet := serverIterator(int(listenerPort.Number), merged.MergedServers).
+ Union(serverIterator(int(listenerPort.Number), merged.MergedQUICTransportServers))
+ for host, _ := range hostSet {
+ portKey := &route.ScopedRouteConfiguration_Key_Fragment{
+ Type: &route.ScopedRouteConfiguration_Key_Fragment_StringKey{
+ StringKey: port,
+ },
+ }
+ hostKey := &route.ScopedRouteConfiguration_Key_Fragment{
+ Type: &route.ScopedRouteConfiguration_Key_Fragment_StringKey{
+ StringKey: host,
+ },
+ }
+ name := strings.Join([]string{port, host}, ".")
+ out = append(out, &route.ScopedRouteConfiguration{
+ OnDemand: features.OnDemandRDS,
+ Name: name,
+ RouteConfigurationName: constants.HigressHostRDSNamePrefix + name,
+ Key: &route.ScopedRouteConfiguration_Key{
+ Fragments: []*route.ScopedRouteConfiguration_Key_Fragment{portKey, hostKey},
+ },
+ })
+ }
+ }
+ for _, port := range merged.ServerPorts {
+ buildPortHostScopedRoute(port)
+ }
+ return out
+}
+
+type virtualServiceContext struct {
+ virtualService config.Config
+ server *networking.Server
+ gatewayName string
+}
+
+func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(node *model.Proxy, push *model.PushContext,
+ routeName string) *route.RouteConfiguration {
+ var (
+ hostRDSPort string
+ hostRDSHost string
+ )
+ portAndHost := strings.SplitN(strings.TrimPrefix(routeName, constants.HigressHostRDSNamePrefix), ".", 2)
+ if len(portAndHost) != 2 {
+ log.Errorf("Invalid route %s when using Higress hostRDS", routeName)
+ return nil
+ }
+ hostRDSPort = portAndHost[0]
+ hostRDSHost = portAndHost[1]
+ merged := node.MergedGateway
+ log.Debugf("buildGatewayRoutes: gateways after merging: %v", merged)
+ rdsPort, err := strconv.Atoi(hostRDSPort)
+ if err != nil {
+ log.Errorf("Invalid port %s of route %s when using Higress hostRDS", hostRDSPort, routeName)
+ return nil
+ }
+ listenerPort := uint32(rdsPort)
+ globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
+
+ isH3DiscoveryNeeded := false
+
+ // When this is true, we add alt-svc header to the response to tell the client
+ // that HTTP/3 over QUIC is available on the same port for this host. This is
+ // very important for discovering HTTP/3 services
+ for port, servers := range merged.MergedQUICTransportServers {
+ if port.Number == listenerPort && len(servers.Servers) > 0 {
+ isH3DiscoveryNeeded = true
+ break
+ }
+ }
+
+ gatewayRoutes := make(map[string]map[string][]*route.Route)
+ gatewayVirtualServices := make(map[string][]config.Config)
+ var selectedVirtualServices []virtualServiceContext
+ var vHost *route.VirtualHost
+ serverIterator := func(mergedServers map[model.ServerPort]*model.MergedServers) {
+ for port, servers := range mergedServers {
+ if port.Number != listenerPort {
+ continue
+ }
+ for _, server := range servers.Servers {
+ gatewayName := merged.GatewayNameForServer[server]
+
+ var virtualServices []config.Config
+ var exists bool
+
+ if virtualServices, exists = gatewayVirtualServices[gatewayName]; !exists {
+ virtualServices = push.VirtualServicesForGateway(node, gatewayName)
+ gatewayVirtualServices[gatewayName] = virtualServices
+ }
+ for _, virtualService := range virtualServices {
+ hostMatch := false
+ var selectHost string
+ virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
+ for _, hostname := range virtualServiceHosts {
+ // exact match
+ if hostname == host.Name(hostRDSHost) {
+ hostMatch = true
+ selectHost = hostRDSHost
+ break
+ }
+ if features.HostRDSMergeSubset {
+ // subset match
+ if host.Name(hostRDSHost).SubsetOf(hostname) {
+ hostMatch = true
+ selectHost = string(hostname)
+ }
+ }
+ }
+ if !hostMatch {
+ continue
+ }
+ copiedVS := virtualService.DeepCopy()
+ copiedVS.Spec.(*networking.VirtualService).Hosts = []string{selectHost}
+ selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+ virtualService: copiedVS,
+ server: server,
+ gatewayName: gatewayName,
+ })
+ }
+ }
+ }
+ }
+ serverIterator(merged.MergedServers)
+ serverIterator(merged.MergedQUICTransportServers)
+ // Sort by subset
+ // before: ["*.abc.com", "*.com", "www.abc.com"]
+ // after: ["www.abc.com", "*.abc.com", "*.com"]
+ sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
+ return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
+ host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
+ })
+ port := int(listenerPort)
+ for _, ctx := range selectedVirtualServices {
+ virtualService := ctx.virtualService
+ server := ctx.server
+ gatewayName := ctx.gatewayName
+ // Make sure we can obtain services which are visible to this virtualService as much as possible.
+ nameToServiceMap := buildNameToServiceMapForHTTPRoutes(node, push, virtualService)
+
+ var routes []*route.Route
+ var exists bool
+ var err error
+ if _, exists = gatewayRoutes[gatewayName]; !exists {
+ gatewayRoutes[gatewayName] = make(map[string][]*route.Route)
+ }
+
+ vskey := virtualService.Name + "/" + virtualService.Namespace
+
+ if routes, exists = gatewayRoutes[gatewayName][vskey]; !exists {
+ hashByDestination := istio_route.GetConsistentHashForVirtualService(push, node, virtualService, nameToServiceMap)
+ routes, err = istio_route.BuildHTTPRoutesForVirtualServiceWithHTTPFilters(node, virtualService, nameToServiceMap,
+ hashByDestination, port, map[string]bool{gatewayName: true}, isH3DiscoveryNeeded, push.Mesh, globalHTTPFilters)
+ if err != nil {
+ log.Debugf("%s omitting routes for virtual service %v/%v due to error: %v", node.ID, virtualService.Namespace, virtualService.Name, err)
+ continue
+ }
+ gatewayRoutes[gatewayName][vskey] = routes
+ }
+
+ if vHost != nil {
+ vHost.Routes = append(vHost.Routes, routes...)
+ if server.Tls != nil && server.Tls.HttpsRedirect {
+ vHost.RequireTls = route.VirtualHost_ALL
+ }
+ } else {
+ vHost = &route.VirtualHost{
+ Name: util.DomainName(hostRDSHost, port),
+ Domains: buildGatewayVirtualHostDomains(hostRDSHost, port),
+ Routes: routes,
+ IncludeRequestAttemptCount: true,
+ TypedPerFilterConfig: mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
+ }
+ if server.Tls != nil && server.Tls.HttpsRedirect {
+ vHost.RequireTls = route.VirtualHost_ALL
+ }
+ }
+
+ // check all hostname if is not exist with HttpsRedirect set to true
+ // create VirtualHost to redirect
+ for _, hostname := range server.Hosts {
+ if !server.GetTls().GetHttpsRedirect() {
+ continue
+ }
+ if vHost != nil && host.Name(hostname) == host.Name(hostRDSHost) {
+ vHost.RequireTls = route.VirtualHost_ALL
+ continue
+ }
+ vHost = &route.VirtualHost{
+ Name: util.DomainName(hostname, port),
+ Domains: buildGatewayVirtualHostDomains(hostname, port),
+ IncludeRequestAttemptCount: true,
+ RequireTls: route.VirtualHost_ALL,
+ }
+ }
+
+ }
+ var virtualHosts []*route.VirtualHost
+ if vHost == nil {
+ log.Warnf("constructed http route config for route %s on port %d with no vhosts; Setting up a default 404 vhost", routeName, port)
+ virtualHosts = []*route.VirtualHost{{
+ Name: util.DomainName("blackhole", port),
+ Domains: []string{"*"},
+ // Empty route list will cause Envoy to 404 NR any requests
+ Routes: []*route.Route{},
+ }}
+ } else {
+ vHost.Routes = istio_route.CombineVHostRoutes(vHost.Routes)
+ virtualHosts = append(virtualHosts, vHost)
+ }
+
+ routeCfg := &route.RouteConfiguration{
+ // Retain the routeName as its used by EnvoyFilter patching logic
+ Name: routeName,
+ VirtualHosts: virtualHosts,
+ ValidateClusters: proto.BoolFalse,
+ }
+
+ return routeCfg
+}
+
+// End added by ingress
+
func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Proxy, push *model.PushContext,
routeName string) *route.RouteConfiguration {
if node.MergedGateway == nil {
@@ -351,6 +621,12 @@
}
}
+ // Added by ingress
+ if strings.HasPrefix(routeName, constants.HigressHostRDSNamePrefix) {
+ return configgen.buildHostRDSConfig(node, push, routeName)
+ }
+ // End added by ingress
+
merged := node.MergedGateway
log.Debugf("buildGatewayRoutes: gateways after merging: %v", merged)
@@ -670,7 +946,9 @@
// TLS mode | Mesh-wide SDS | Ingress SDS | Resulting Configuration
// SIMPLE/MUTUAL | ENABLED | ENABLED | support SDS at ingress gateway to terminate SSL communication outside the mesh
// ISTIO_MUTUAL | ENABLED | DISABLED | support SDS at gateway to terminate workload mTLS, with internal workloads
-// | for egress or with another trusted cluster for ingress)
+//
+// | for egress or with another trusted cluster for ingress)
+//
// ISTIO_MUTUAL | DISABLED | DISABLED | use file-mounted secret paths to terminate workload mTLS from gateway
//
// Note that ISTIO_MUTUAL TLS mode and ingressSds should not be used simultaneously on the same ingress gateway.
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/listener.go istio-new/pilot/pkg/networking/core/v1alpha3/listener.go
--- istio/pilot/pkg/networking/core/v1alpha3/listener.go 2024-01-05 17:58:07.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/listener.go 2024-01-05 17:31:10.000000000 +0800
@@ -1279,8 +1279,48 @@
notimeout := durationpb.New(0 * time.Second)
connectionManager.StreamIdleTimeout = notimeout
-
- if httpOpts.rds != "" {
+ // Added by ingress
+ enableSRDS := false
+ if features.EnableScopedRDS &&
+ (listenerOpts.port.Protocol.IsHTTP() || (listenerOpts.port.Protocol == protocol.HTTPS)) {
+ enableSRDS = true
+ portFragment := &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{
+ Type: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor_{
+ LocalPortValueExtractor: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_LocalPortValueExtractor{},
+ }}
+ hostFragment := &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{
+ Type: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor_{
+ HostValueExtractor: &hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HostValueExtractor{},
+ }}
+ scopedRoutes := &hcm.HttpConnectionManager_ScopedRoutes{
+ ScopedRoutes: &hcm.ScopedRoutes{
+ Name: constants.DefaultScopedRouteName,
+ ScopeKeyBuilder: &hcm.ScopedRoutes_ScopeKeyBuilder{
+ Fragments: []*hcm.ScopedRoutes_ScopeKeyBuilder_FragmentBuilder{portFragment, hostFragment},
+ },
+ RdsConfigSource: &core.ConfigSource{
+ ConfigSourceSpecifier: &core.ConfigSource_Ads{
+ Ads: &core.AggregatedConfigSource{},
+ },
+ InitialFetchTimeout: durationpb.New(0),
+ ResourceApiVersion: core.ApiVersion_V3,
+ },
+ ConfigSpecifier: &hcm.ScopedRoutes_ScopedRds{
+ ScopedRds: &hcm.ScopedRds{
+ ScopedRdsConfigSource: &core.ConfigSource{
+ ConfigSourceSpecifier: &core.ConfigSource_Ads{
+ Ads: &core.AggregatedConfigSource{},
+ },
+ InitialFetchTimeout: durationpb.New(0),
+ ResourceApiVersion: core.ApiVersion_V3,
+ },
+ },
+ },
+ },
+ }
+ connectionManager.RouteSpecifier = scopedRoutes
+ } else if httpOpts.rds != "" {
+ // End added by ingress
rds := &hcm.HttpConnectionManager_Rds{
Rds: &hcm.Rds{
ConfigSource: &core.ConfigSource{
@@ -1304,8 +1344,15 @@
filters := make([]*hcm.HttpFilter, len(httpFilters))
copy(filters, httpFilters)
- // Make sure cors filter always in the first.
- filters = append([]*hcm.HttpFilter{xdsfilters.Cors}, filters...)
+ // Added by ingress
+ // Now only support onDemandRDS when enable SRDS
+ if features.OnDemandRDS && enableSRDS {
+ filters = append([]*hcm.HttpFilter{xdsfilters.OnDemand, xdsfilters.Cors}, filters...)
+ } else {
+ // End added by ingress
+ // Make sure cors filter always in the first.
+ filters = append([]*hcm.HttpFilter{xdsfilters.Cors}, filters...)
+ }
if features.MetadataExchange {
filters = append(filters, xdsfilters.HTTPMx)
diff -Naur istio/pilot/pkg/xds/ads.go istio-new/pilot/pkg/xds/ads.go
--- istio/pilot/pkg/xds/ads.go 2024-01-05 17:58:08.000000000 +0800
+++ istio-new/pilot/pkg/xds/ads.go 2024-01-05 17:31:44.000000000 +0800
@@ -797,15 +797,18 @@
// PushOrder defines the order that updates will be pushed in. Any types not listed here will be pushed in random
// order after the types listed here
-var PushOrder = []string{v3.ClusterType, v3.EndpointType, v3.ListenerType, v3.RouteType, v3.SecretType}
+var PushOrder = []string{v3.ClusterType, v3.EndpointType, v3.ListenerType, v3.ScopedRouteType, v3.RouteType, v3.SecretType}
// KnownOrderedTypeUrls has typeUrls for which we know the order of push.
var KnownOrderedTypeUrls = map[string]struct{}{
v3.ClusterType: {},
v3.EndpointType: {},
v3.ListenerType: {},
- v3.RouteType: {},
- v3.SecretType: {},
+ // Added by ingress
+ v3.ScopedRouteType: {},
+ // End added by ingress
+ v3.RouteType: {},
+ v3.SecretType: {},
}
// orderWatchedResources orders the resources in accordance with known push order.
diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
--- istio/pilot/pkg/xds/discovery.go 2024-01-05 17:58:07.000000000 +0800
+++ istio-new/pilot/pkg/xds/discovery.go 2024-01-04 21:20:00.000000000 +0800
@@ -589,6 +589,9 @@
s.Generators[v3.ClusterType] = &CdsGenerator{Server: s}
s.Generators[v3.ListenerType] = &LdsGenerator{Server: s}
s.Generators[v3.RouteType] = &RdsGenerator{Server: s}
+ // Added by ingress
+ s.Generators[v3.ScopedRouteType] = &SrdsGenerator{Server: s}
+ // End added by ingress
s.Generators[v3.EndpointType] = edsGen
s.Generators[v3.NameTableType] = &NdsGenerator{Server: s}
s.Generators[v3.ExtensionConfigurationType] = &EcdsGenerator{Server: s}
diff -Naur istio/pilot/pkg/xds/filters/filters.go istio-new/pilot/pkg/xds/filters/filters.go
--- istio/pilot/pkg/xds/filters/filters.go 2024-01-05 17:58:03.000000000 +0800
+++ istio-new/pilot/pkg/xds/filters/filters.go 2024-01-04 21:20:00.000000000 +0800
@@ -21,6 +21,7 @@
fault "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3"
grpcstats "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_stats/v3"
grpcweb "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/grpc_web/v3"
+ ondemand "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/on_demand/v3"
router "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3"
httpwasm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/wasm/v3"
httpinspector "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/http_inspector/v3"
@@ -54,6 +55,14 @@
// Define static filters to be reused across the codebase. This avoids duplicate marshaling/unmarshaling
// This should not be used for filters that will be mutated
var (
+ // Added by ingress
+ OnDemand = &hcm.HttpFilter{
+ Name: "envoy.filters.http.on_demand.v3.OnDemand",
+ ConfigType: &hcm.HttpFilter_TypedConfig{
+ TypedConfig: util.MessageToAny(&ondemand.OnDemand{}),
+ },
+ }
+ // End added by ingress
Cors = &hcm.HttpFilter{
Name: wellknown.CORS,
ConfigType: &hcm.HttpFilter_TypedConfig{
diff -Naur istio/pilot/pkg/xds/srds.go istio-new/pilot/pkg/xds/srds.go
--- istio/pilot/pkg/xds/srds.go 1970-01-01 08:00:00.000000000 +0800
+++ istio-new/pilot/pkg/xds/srds.go 2024-01-05 13:45:49.000000000 +0800
@@ -0,0 +1,79 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package xds
+
+import (
+ discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+ "istio.io/istio/pilot/pkg/features"
+ "istio.io/istio/pilot/pkg/model"
+ "istio.io/istio/pilot/pkg/networking/util"
+ "istio.io/istio/pkg/config"
+ "istio.io/istio/pkg/config/schema/gvk"
+)
+
+type SrdsGenerator struct {
+ Server *DiscoveryServer
+}
+
+var _ model.XdsResourceGenerator = &SrdsGenerator{}
+
+// Map of all configs that do not impact SRDS
+var skippedSrdsConfigs = map[config.GroupVersionKind]struct{}{
+ gvk.WorkloadEntry: {},
+ gvk.WorkloadGroup: {},
+ gvk.RequestAuthentication: {},
+ gvk.PeerAuthentication: {},
+ gvk.Secret: {},
+}
+
+func srdsNeedsPush(req *model.PushRequest) bool {
+ if !features.EnableScopedRDS {
+ return false
+ }
+ if req == nil {
+ return true
+ }
+ if !req.Full {
+ // SRDS only handles full push
+ return false
+ }
+ // If none set, we will always push
+ if len(req.ConfigsUpdated) == 0 {
+ return true
+ }
+ for config := range req.ConfigsUpdated {
+ if _, f := skippedSrdsConfigs[config.Kind]; !f {
+ return true
+ }
+ }
+ return false
+}
+
+func (s SrdsGenerator) Generate(proxy *model.Proxy, push *model.PushContext, w *model.WatchedResource,
+ req *model.PushRequest) (model.Resources, model.XdsLogDetails, error) {
+ if !srdsNeedsPush(req) {
+ return nil, model.DefaultXdsLogDetails, nil
+ }
+
+ scopedRoutes := s.Server.ConfigGenerator.BuildScopedRoutes(proxy, push)
+ resources := model.Resources{}
+ for _, sr := range scopedRoutes {
+ resources = append(resources, &discovery.Resource{
+ Name: sr.Name,
+ Resource: util.MessageToAny(sr),
+ })
+ }
+ return resources, model.DefaultXdsLogDetails, nil
+}
diff -Naur istio/pilot/pkg/xds/v3/model.go istio-new/pilot/pkg/xds/v3/model.go
--- istio/pilot/pkg/xds/v3/model.go 2024-01-05 17:58:03.000000000 +0800
+++ istio-new/pilot/pkg/xds/v3/model.go 2024-01-05 16:55:49.000000000 +0800
@@ -31,6 +31,10 @@
SecretType = resource.SecretType
ExtensionConfigurationType = resource.ExtensionConfigType
+ // Added by ingress
+ ScopedRouteType = apiTypePrefix + "envoy.config.route.v3.ScopedRouteConfiguration"
+ // End added by ingress
+
NameTableType = apiTypePrefix + "istio.networking.nds.v1.NameTable"
HealthInfoType = apiTypePrefix + "istio.v1.HealthInformation"
ProxyConfigType = apiTypePrefix + "istio.mesh.v1alpha1.ProxyConfig"
@@ -61,6 +65,10 @@
return "PCDS"
case ExtensionConfigurationType:
return "ECDS"
+ // Added by ingress
+ case ScopedRouteType:
+ return "SRDS"
+ // End added by ingress
default:
return typeURL
}
@@ -87,6 +95,10 @@
return "ecds"
case BootstrapType:
return "bds"
+ // Added by ingress
+ case ScopedRouteType:
+ return "srds"
+ // End added by ingress
default:
return typeURL
}
diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
--- istio/pkg/config/constants/constants.go 2024-01-05 17:58:08.000000000 +0800
+++ istio-new/pkg/config/constants/constants.go 2024-01-04 21:20:00.000000000 +0800
@@ -143,4 +143,9 @@
// CertProviderNone does not create any certificates for the control plane. It is assumed that some external
// load balancer, such as an Istio Gateway, is terminating the TLS.
CertProviderNone = "none"
+
+ // Added by ingress
+ HigressHostRDSNamePrefix = "higress-rds-"
+ DefaultScopedRouteName = "scoped-route"
+ // End added by ingress
)

373
istio/1.12/patches/istio/20240115-optimize-rds-cache.patch
View File

@@ -1,373 +0,0 @@
diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
--- istio/pilot/pkg/model/push_context.go 2024-01-15 20:46:45.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go 2024-01-15 19:20:45.000000000 +0800
@@ -96,6 +96,9 @@
publicByGateway map[string][]config.Config
// root vs namespace/name ->delegate vs virtualservice gvk/namespace/name
delegates map[ConfigKey][]ConfigKey
+ // Added by ingress
+ byHost map[string][]config.Config
+ // End added by ingress
}
func newVirtualServiceIndex() virtualServiceIndex {
@@ -104,6 +107,9 @@
privateByNamespaceAndGateway: map[string]map[string][]config.Config{},
exportedToNamespaceByGateway: map[string]map[string][]config.Config{},
delegates: map[ConfigKey][]ConfigKey{},
+ // Added by ingress
+ byHost: map[string][]config.Config{},
+ // End added by ingress
}
}
@@ -857,6 +863,13 @@
return res
}
+// Added by ingress
+func (ps *PushContext) VirtualServicesForHost(proxy *Proxy, host string) []config.Config {
+ return ps.virtualServiceIndex.byHost[host]
+}
+
+// End added by ingress
+
// DelegateVirtualServicesConfigKey lists all the delegate virtual services configkeys associated with the provided virtual services
func (ps *PushContext) DelegateVirtualServicesConfigKey(vses []config.Config) []ConfigKey {
var out []ConfigKey
@@ -1468,6 +1481,11 @@
for _, virtualService := range vservices {
ns := virtualService.Namespace
rule := virtualService.Spec.(*networking.VirtualService)
+ // Added by ingress
+ for _, host := range rule.Hosts {
+ ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
+ }
+ // End added by ingress
gwNames := getGatewayNames(rule)
if len(rule.ExportTo) == 0 {
// No exportTo in virtualService. Use the global default
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-01-15 20:46:45.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-01-15 20:04:05.000000000 +0800
@@ -28,6 +28,7 @@
route "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
+ discovery "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
"github.com/hashicorp/go-multierror"
meshconfig "istio.io/api/mesh/v1alpha1"
@@ -35,6 +36,7 @@
"istio.io/istio/pilot/pkg/features"
"istio.io/istio/pilot/pkg/model"
istionetworking "istio.io/istio/pilot/pkg/networking"
+ "istio.io/istio/pilot/pkg/networking/core/v1alpha3/envoyfilter"
"istio.io/istio/pilot/pkg/networking/core/v1alpha3/extension"
"istio.io/istio/pilot/pkg/networking/core/v1alpha3/mseingress"
istio_route "istio.io/istio/pilot/pkg/networking/core/v1alpha3/route"
@@ -423,8 +425,15 @@
gatewayName string
}
-func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(node *model.Proxy, push *model.PushContext,
- routeName string) *route.RouteConfiguration {
+func (configgen *ConfigGeneratorImpl) buildHostRDSConfig(
+ node *model.Proxy,
+ req *model.PushRequest,
+ routeName string,
+ vsCache map[int][]virtualServiceContext,
+ efw *model.EnvoyFilterWrapper,
+ efKeys []string,
+) (*discovery.Resource, bool) {
+ push := req.Push
var (
hostRDSPort string
hostRDSHost string
@@ -432,7 +441,7 @@
portAndHost := strings.SplitN(strings.TrimPrefix(routeName, constants.HigressHostRDSNamePrefix), ".", 2)
if len(portAndHost) != 2 {
log.Errorf("Invalid route %s when using Higress hostRDS", routeName)
- return nil
+ return nil, false
}
hostRDSPort = portAndHost[0]
hostRDSHost = portAndHost[1]
@@ -441,10 +450,24 @@
rdsPort, err := strconv.Atoi(hostRDSPort)
if err != nil {
log.Errorf("Invalid port %s of route %s when using Higress hostRDS", hostRDSPort, routeName)
- return nil
+ return nil, false
+ }
+
+ routeCache := &istio_route.Cache{
+ RouteName: routeName,
+ ProxyVersion: node.Metadata.IstioVersion,
+ ListenerPort: rdsPort,
+ // Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
+ VirtualServices: push.VirtualServicesForHost(node, hostRDSHost),
+ EnvoyFilterKeys: efKeys,
+ }
+
+ resource, exist := configgen.Cache.Get(routeCache)
+ if exist {
+ return resource, true
}
+
listenerPort := uint32(rdsPort)
- globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
isH3DiscoveryNeeded := false
@@ -457,9 +480,9 @@
break
}
}
-
gatewayRoutes := make(map[string]map[string][]*route.Route)
gatewayVirtualServices := make(map[string][]config.Config)
+ var listenerVirtualServices []virtualServiceContext
var selectedVirtualServices []virtualServiceContext
var vHost *route.VirtualHost
serverIterator := func(mergedServers map[model.ServerPort]*model.MergedServers) {
@@ -478,31 +501,8 @@
gatewayVirtualServices[gatewayName] = virtualServices
}
for _, virtualService := range virtualServices {
- hostMatch := false
- var selectHost string
- virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
- for _, hostname := range virtualServiceHosts {
- // exact match
- if hostname == host.Name(hostRDSHost) {
- hostMatch = true
- selectHost = hostRDSHost
- break
- }
- if features.HostRDSMergeSubset {
- // subset match
- if host.Name(hostRDSHost).SubsetOf(hostname) {
- hostMatch = true
- selectHost = string(hostname)
- }
- }
- }
- if !hostMatch {
- continue
- }
- copiedVS := virtualService.DeepCopy()
- copiedVS.Spec.(*networking.VirtualService).Hosts = []string{selectHost}
- selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
- virtualService: copiedVS,
+ listenerVirtualServices = append(listenerVirtualServices, virtualServiceContext{
+ virtualService: virtualService,
server: server,
gatewayName: gatewayName,
})
@@ -510,15 +510,63 @@
}
}
}
- serverIterator(merged.MergedServers)
- serverIterator(merged.MergedQUICTransportServers)
- // Sort by subset
- // before: ["*.abc.com", "*.com", "www.abc.com"]
- // after: ["www.abc.com", "*.abc.com", "*.com"]
- sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
- return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
- host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
- })
+ var vsExists bool
+ if listenerVirtualServices, vsExists = vsCache[rdsPort]; !vsExists {
+ serverIterator(merged.MergedServers)
+ serverIterator(merged.MergedQUICTransportServers)
+ vsCache[rdsPort] = listenerVirtualServices
+ }
+ for _, vsCtx := range listenerVirtualServices {
+ virtualService := vsCtx.virtualService
+ hostMatch := false
+ var selectHost string
+ for _, hostname := range virtualService.Spec.(*networking.VirtualService).Hosts {
+ // exact match
+ if hostname == hostRDSHost {
+ hostMatch = true
+ selectHost = hostRDSHost
+ break
+ }
+ if features.HostRDSMergeSubset {
+ // subset match
+ if host.Name(hostRDSHost).SubsetOf(host.Name(hostname)) {
+ hostMatch = true
+ selectHost = hostname
+ }
+ }
+ }
+ if !hostMatch {
+ continue
+ }
+ if len(virtualService.Spec.(*networking.VirtualService).Hosts) > 1 {
+ copiedVS := &networking.VirtualService{}
+ copiedVS = virtualService.Spec.(*networking.VirtualService)
+ copiedVS.Hosts = []string{selectHost}
+ selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
+ virtualService: config.Config{
+ Meta: virtualService.Meta,
+ Spec: copiedVS,
+ Status: virtualService.Status,
+ },
+ server: vsCtx.server,
+ gatewayName: vsCtx.gatewayName,
+ })
+ } else {
+ selectedVirtualServices = append(selectedVirtualServices, vsCtx)
+ }
+ }
+ if features.HostRDSMergeSubset {
+ // Sort by subset
+ // before: ["*.abc.com", "*.com", "www.abc.com"]
+ // after: ["www.abc.com", "*.abc.com", "*.com"]
+ sort.SliceStable(selectedVirtualServices, func(i, j int) bool {
+ return host.Name(selectedVirtualServices[i].virtualService.Spec.(*networking.VirtualService).Hosts[0]).SubsetOf(
+ host.Name(selectedVirtualServices[j].virtualService.Spec.(*networking.VirtualService).Hosts[0]))
+ })
+ }
+
+ globalHTTPFilters := mseingress.ExtractGlobalHTTPFilters(node, push)
+
port := int(listenerPort)
for _, ctx := range selectedVirtualServices {
virtualService := ctx.virtualService
@@ -605,25 +653,42 @@
ValidateClusters: proto.BoolFalse,
}
- return routeCfg
+ routeCfg = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, routeCfg)
+ resource = &discovery.Resource{
+ Name: routeName,
+ Resource: util.MessageToAny(routeCfg),
+ }
+
+ if features.EnableRDSCaching {
+ configgen.Cache.Add(routeCache, req, resource)
+ }
+
+ return resource, false
}
// End added by ingress
-func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Proxy, push *model.PushContext,
- routeName string) *route.RouteConfiguration {
+// Modifed by ingress
+func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(
+ node *model.Proxy,
+ req *model.PushRequest,
+ routeName string,
+ vsCache map[int][]virtualServiceContext,
+ efw *model.EnvoyFilterWrapper,
+ efKeys []string,
+) (*discovery.Resource, bool) {
if node.MergedGateway == nil {
log.Warnf("buildGatewayRoutes: no gateways for router %v", node.ID)
- return &route.RouteConfiguration{
- Name: routeName,
- VirtualHosts: []*route.VirtualHost{},
- ValidateClusters: proto.BoolFalse,
- }
+ return nil, false
}
-
// Added by ingress
+ push := req.Push
if strings.HasPrefix(routeName, constants.HigressHostRDSNamePrefix) {
- return configgen.buildHostRDSConfig(node, push, routeName)
+ resource, cacheHit := configgen.buildHostRDSConfig(node, req, routeName, vsCache, efw, efKeys)
+ if resource == nil {
+ return nil, false
+ }
+ return resource, cacheHit
}
// End added by ingress
@@ -636,7 +701,7 @@
// This can happen when a gateway has recently been deleted. Envoy will still request route
// information due to the draining of listeners, so we should not return an error.
- return nil
+ return nil, false
}
servers := merged.ServersByRouteName[routeName]
@@ -768,9 +833,16 @@
ValidateClusters: proto.BoolFalse,
}
- return routeCfg
+ routeCfg = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, routeCfg)
+ resource := &discovery.Resource{
+ Name: routeName,
+ Resource: util.MessageToAny(routeCfg),
+ }
+ return resource, false
}
+// End modified by ingress
+
// hashRouteList returns a hash of a list of pointers
func hashRouteList(r []*route.Route) uint64 {
hash := md5.New()
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/httproute.go istio-new/pilot/pkg/networking/core/v1alpha3/httproute.go
--- istio/pilot/pkg/networking/core/v1alpha3/httproute.go 2024-01-15 20:46:41.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/httproute.go 2024-01-15 10:29:09.000000000 +0800
@@ -78,17 +78,30 @@
routeConfigurations = append(routeConfigurations, rc)
}
case model.Router:
+ // Modified by ingress
+ vsCache := make(map[int][]virtualServiceContext)
+ envoyfilterKeys := efw.Keys()
for _, routeName := range routeNames {
- rc := configgen.buildGatewayHTTPRouteConfig(node, req.Push, routeName)
- if rc != nil {
- rc = envoyfilter.ApplyRouteConfigurationPatches(networking.EnvoyFilter_GATEWAY, node, efw, rc)
- resource := &discovery.Resource{
+ rc, cached := configgen.buildGatewayHTTPRouteConfig(node, req, routeName, vsCache, efw, envoyfilterKeys)
+ if cached && !features.EnableUnsafeAssertions {
+ hit++
+ } else {
+ miss++
+ }
+ if rc == nil {
+ emptyRoute := &route.RouteConfiguration{
+ Name: routeName,
+ VirtualHosts: []*route.VirtualHost{},
+ ValidateClusters: proto.BoolFalse,
+ }
+ rc = &discovery.Resource{
Name: routeName,
- Resource: util.MessageToAny(rc),
+ Resource: util.MessageToAny(emptyRoute),
}
- routeConfigurations = append(routeConfigurations, resource)
}
+ routeConfigurations = append(routeConfigurations, rc)
}
+ // End modified by ingress
}
if !features.EnableRDSCaching {
return routeConfigurations, model.DefaultXdsLogDetails
diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
--- istio/pilot/pkg/xds/discovery.go 2024-01-15 20:46:45.000000000 +0800
+++ istio-new/pilot/pkg/xds/discovery.go 2024-01-12 19:56:02.000000000 +0800
@@ -392,6 +392,9 @@
// ConfigUpdate implements ConfigUpdater interface, used to request pushes.
// It replaces the 'clear cache' from v1.
func (s *DiscoveryServer) ConfigUpdate(req *model.PushRequest) {
+ if req.Full {
+ log.Infof("full push happen, reason:%v", req.Reason)
+ }
inboundConfigUpdates.Increment()
s.InboundUpdates.Inc()
s.pushChannel <- req

60
istio/1.12/patches/istio/20240201-optimize-default-arg.patch
View File

@@ -1,60 +0,0 @@
diff -Naur istio/pilot/cmd/pilot-agent/status/util/stats.go istio-new/pilot/cmd/pilot-agent/status/util/stats.go
--- istio/pilot/cmd/pilot-agent/status/util/stats.go 2024-02-01 10:20:13.000000000 +0800
+++ istio-new/pilot/cmd/pilot-agent/status/util/stats.go 2024-01-31 22:44:53.000000000 +0800
@@ -73,7 +73,7 @@
localHostAddr = "localhost"
}
- readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, readyStatsRegex)
+ readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort)
stats, err := http.DoHTTPGetWithTimeout(readinessURL, readinessTimeout)
if err != nil {
return nil, false, err
@@ -105,7 +105,7 @@
localHostAddr = "localhost"
}
- stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, updateStatsRegex))
+ stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort))
if err != nil {
return nil, err
}
diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
--- istio/pilot/pkg/features/pilot.go 2024-02-01 10:20:17.000000000 +0800
+++ istio-new/pilot/pkg/features/pilot.go 2024-02-01 10:16:18.000000000 +0800
@@ -575,6 +575,8 @@
"If enabled, each host in virtualservice will have an independent RDS, which is used with SRDS").Get()
OnDemandRDS = env.RegisterBoolVar("ON_DEMAND_RDS", false,
"If enabled, the on demand filter will be added to the HCM filters").Get()
+ DefaultUpstreamConcurrencyThreshold = env.RegisterIntVar("DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD", 1000000,
+ "The default threshold of max_requests/max_pending_requests/max_connections of circuit breaker").Get()
// End added by ingress
)
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/cluster.go istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go
--- istio/pilot/pkg/networking/core/v1alpha3/cluster.go 2024-02-01 10:20:17.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/cluster.go 2024-02-01 10:16:05.000000000 +0800
@@ -61,6 +61,7 @@
// getDefaultCircuitBreakerThresholds returns a copy of the default circuit breaker thresholds for the given traffic direction.
func getDefaultCircuitBreakerThresholds() *cluster.CircuitBreakers_Thresholds {
+ // Modified by ingress
return &cluster.CircuitBreakers_Thresholds{
// DefaultMaxRetries specifies the default for the Envoy circuit breaker parameter max_retries. This
// defines the maximum number of parallel retries a given Envoy will allow to the upstream cluster. Envoy defaults
@@ -68,11 +69,12 @@
// where multiple endpoints in a cluster are terminated. In these scenarios the circuit breaker can kick
// in before Pilot is able to deliver an updated endpoint list to Envoy, leading to client-facing 503s.
MaxRetries: &wrappers.UInt32Value{Value: math.MaxUint32},
- MaxRequests: &wrappers.UInt32Value{Value: math.MaxUint32},
- MaxConnections: &wrappers.UInt32Value{Value: math.MaxUint32},
- MaxPendingRequests: &wrappers.UInt32Value{Value: math.MaxUint32},
+ MaxRequests: &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
+ MaxConnections: &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
+ MaxPendingRequests: &wrappers.UInt32Value{Value: uint32(features.DefaultUpstreamConcurrencyThreshold)},
TrackRemaining: true,
}
+ // End modified by ingress
}
// BuildClusters returns the list of clusters for the given proxy. This is the CDS output

88
istio/1.12/patches/istio/20240201-virtual-host-allow-server-name.patch
View File

@@ -1,88 +0,0 @@
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-02-01 13:53:17.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-02-01 13:52:11.000000000 +0800
@@ -501,6 +501,16 @@
gatewayVirtualServices[gatewayName] = virtualServices
}
for _, virtualService := range virtualServices {
+ virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts)
+ serverHosts := host.NamesForNamespace(server.Hosts, virtualService.Namespace)
+
+ // We have two cases here:
+ // 1. virtualService hosts are 1.foo.com, 2.foo.com, 3.foo.com and server hosts are ns/*.foo.com
+ // 2. virtualService hosts are *.foo.com, and server hosts are ns/1.foo.com, ns/2.foo.com, ns/3.foo.com
+ intersectingHosts := serverHosts.Intersection(virtualServiceHosts)
+ if len(intersectingHosts) == 0 {
+ continue
+ }
listenerVirtualServices = append(listenerVirtualServices, virtualServiceContext{
virtualService: virtualService,
server: server,
@@ -615,22 +625,24 @@
// check all hostname if is not exist with HttpsRedirect set to true
// create VirtualHost to redirect
- for _, hostname := range server.Hosts {
- if !server.GetTls().GetHttpsRedirect() {
- continue
- }
- if vHost != nil && host.Name(hostname) == host.Name(hostRDSHost) {
+ if server.GetTls().GetHttpsRedirect() {
+ if vHost != nil {
vHost.RequireTls = route.VirtualHost_ALL
- continue
+ } else {
+ vHost = &route.VirtualHost{
+ Name: util.DomainName(hostRDSHost, port),
+ Domains: buildGatewayVirtualHostDomains(hostRDSHost, port),
+ IncludeRequestAttemptCount: true,
+ RequireTls: route.VirtualHost_ALL,
+ }
}
- vHost = &route.VirtualHost{
- Name: util.DomainName(hostname, port),
- Domains: buildGatewayVirtualHostDomains(hostname, port),
- IncludeRequestAttemptCount: true,
- RequireTls: route.VirtualHost_ALL,
+ } else if vHost != nil {
+ mode := server.GetTls().GetMode()
+ if mode == networking.ServerTLSSettings_MUTUAL ||
+ mode == networking.ServerTLSSettings_ISTIO_MUTUAL {
+ vHost.AllowServerNames = append(vHost.AllowServerNames, server.Hosts...)
}
}
-
}
var virtualHosts []*route.VirtualHost
if vHost == nil {
@@ -642,6 +654,30 @@
Routes: []*route.Route{},
}}
} else {
+ sort.SliceStable(vHost.AllowServerNames, func(i, j int) bool {
+ hostI := vHost.AllowServerNames[i]
+ hostJ := vHost.AllowServerNames[j]
+ if host.Name(hostI).SubsetOf(host.Name(hostJ)) {
+ return true
+ }
+ return hostI < hostJ
+ })
+ var uniqueServerNames []string
+ hasAllCatch := false
+ for i, name := range vHost.AllowServerNames {
+ if name == "*" {
+ hasAllCatch = true
+ break
+ }
+ if i == 0 || vHost.AllowServerNames[i-1] != name {
+ uniqueServerNames = append(uniqueServerNames, name)
+ }
+ }
+ if hasAllCatch {
+ vHost.AllowServerNames = nil
+ } else {
+ vHost.AllowServerNames = uniqueServerNames
+ }
vHost.Routes = istio_route.CombineVHostRoutes(vHost.Routes)
virtualHosts = append(virtualHosts, vHost)
}

41
istio/1.12/patches/istio/20240202-fix-rds-cache.patch
View File

@@ -1,41 +0,0 @@
diff -Naur istio/pilot/pkg/xds/discovery.go istio-new/pilot/pkg/xds/discovery.go
--- istio/pilot/pkg/xds/discovery.go 2024-02-02 16:26:49.000000000 +0800
+++ istio-new/pilot/pkg/xds/discovery.go 2024-02-02 15:38:53.000000000 +0800
@@ -18,6 +18,7 @@
"context"
"fmt"
"strconv"
+ "strings"
"sync"
"time"
@@ -41,6 +42,7 @@
"istio.io/istio/pilot/pkg/util/sets"
v3 "istio.io/istio/pilot/pkg/xds/v3"
"istio.io/istio/pkg/cluster"
+ "istio.io/istio/pkg/config/constants"
"istio.io/istio/pkg/security"
)
@@ -332,6 +334,21 @@
} else {
// Otherwise, just clear the updated configs
s.Cache.Clear(req.ConfigsUpdated)
+ //Added by ingress
+ trimKeyMap := make(map[model.ConfigKey]struct{})
+ for configKey := range req.ConfigsUpdated {
+ if strings.HasPrefix(configKey.Name, constants.IstioIngressGatewayName+"-") {
+ trimKeyMap[model.ConfigKey{
+ Kind: configKey.Kind,
+ Name: strings.TrimPrefix(configKey.Name, constants.IstioIngressGatewayName+"-"),
+ Namespace: configKey.Namespace,
+ }] = struct{}{}
+ }
+ }
+ if len(trimKeyMap) > 0 {
+ s.Cache.Clear(trimKeyMap)
+ }
+ //End added by ingress
}
}

21
istio/1.12/patches/istio/20240204-increase-healthcheck-timeout.patch
View File

@@ -1,21 +0,0 @@
diff -Naur istio/pilot/cmd/pilot-agent/status/util/stats.go istio-new/pilot/cmd/pilot-agent/status/util/stats.go
--- istio/pilot/cmd/pilot-agent/status/util/stats.go 2024-02-04 18:48:18.000000000 +0800
+++ istio-new/pilot/cmd/pilot-agent/status/util/stats.go 2024-02-04 09:35:42.000000000 +0800
@@ -37,7 +37,7 @@
updateStatsRegex = "^(cluster_manager\\.cds|listener_manager\\.lds)\\.(update_success|update_rejected)$"
)
-var readinessTimeout = time.Second * 3 // Default Readiness timeout. It is set the same in helm charts.
+var readinessTimeout = time.Second * 60 // Default Readiness timeout. It is set the same in helm charts.
type stat struct {
name string
@@ -105,7 +105,7 @@
localHostAddr = "localhost"
}
- stats, err := http.DoHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort))
+ stats, err := http.DoHTTPGetWithTimeout(fmt.Sprintf("http://%s:%d/stats?usedonly", localHostAddr, adminPort), readinessTimeout)
if err != nil {
return nil, err
}

132
istio/1.12/patches/istio/20240304-fix-gwapi-rds-cache.patch
View File

@@ -1,132 +0,0 @@
diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
--- istio/pilot/pkg/config/kube/gateway/conversion.go 2024-03-04 17:35:34.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go 2024-03-04 16:58:26.000000000 +0800
@@ -450,7 +450,7 @@
name = fmt.Sprintf("%s/%s/%s.%s", obj.GroupVersionKind.Kind, obj.Name, *sectionName, obj.Namespace)
}
return map[string]string{
- constants.InternalParentName: name,
+ constants.InternalParentNames: name,
}
}
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-03-04 17:35:34.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-03-04 17:23:10.000000000 +0800
@@ -49,6 +49,7 @@
"istio.io/istio/pkg/config/gateway"
"istio.io/istio/pkg/config/host"
"istio.io/istio/pkg/config/protocol"
+ "istio.io/istio/pkg/config/schema/gvk"
"istio.io/istio/pkg/config/security"
"istio.io/istio/pkg/proto"
"istio.io/istio/pkg/util/istiomultierror"
@@ -453,12 +454,43 @@
return nil, false
}
+ hostVs := push.VirtualServicesForHost(node, hostRDSHost)
+
+ var httpRoutes []config.Config
+
+ for _, vs := range hostVs {
+ if len(vs.Annotations) == 0 {
+ continue
+ }
+ if parents, ok := vs.Annotations[constants.InternalParentNames]; ok {
+ typeNames := strings.Split(parents, ",")
+ for _, typeName := range typeNames {
+ if !strings.HasPrefix(typeName, "HTTPRoute/") {
+ continue
+ }
+ nsNameStr := strings.TrimPrefix(typeName, "HTTPRoute/")
+ nsName := strings.SplitN(nsNameStr, ".", 2)
+ if len(nsName) != 2 {
+ continue
+ }
+ httpRoutes = append(httpRoutes, config.Config{
+ Meta: config.Meta{
+ GroupVersionKind: gvk.HTTPRoute,
+ Name: nsName[0],
+ Namespace: nsName[1],
+ },
+ })
+ }
+ }
+ }
+
routeCache := &istio_route.Cache{
RouteName: routeName,
ProxyVersion: node.Metadata.IstioVersion,
ListenerPort: rdsPort,
// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
- VirtualServices: push.VirtualServicesForHost(node, hostRDSHost),
+ VirtualServices: hostVs,
+ HTTPRoutes: httpRoutes,
EnvoyFilterKeys: efKeys,
}
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/route/route_cache.go istio-new/pilot/pkg/networking/core/v1alpha3/route/route_cache.go
--- istio/pilot/pkg/networking/core/v1alpha3/route/route_cache.go 2024-03-04 17:35:30.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/route/route_cache.go 2024-03-04 17:24:19.000000000 +0800
@@ -43,9 +43,12 @@
// This depends on DNSCapture.
DNSAutoAllocate bool
- ListenerPort int
- Services []*model.Service
- VirtualServices []config.Config
+ ListenerPort int
+ Services []*model.Service
+ VirtualServices []config.Config
+ // Added by ingress
+ HTTPRoutes []config.Config
+ // End added by ingress
DestinationRules []*config.Config
EnvoyFilterKeys []string
}
@@ -81,6 +84,11 @@
for _, vs := range r.VirtualServices {
configs = append(configs, model.ConfigKey{Kind: gvk.VirtualService, Name: vs.Name, Namespace: vs.Namespace})
}
+ // Added by ingress
+ for _, route := range r.HTTPRoutes {
+ configs = append(configs, model.ConfigKey{Kind: gvk.HTTPRoute, Name: route.Name, Namespace: route.Namespace})
+ }
+ // End added by ingress
for _, dr := range r.DestinationRules {
configs = append(configs, model.ConfigKey{Kind: gvk.DestinationRule, Name: dr.Name, Namespace: dr.Namespace})
}
@@ -107,6 +115,11 @@
for _, vs := range r.VirtualServices {
params = append(params, vs.Name+"/"+vs.Namespace)
}
+ // Added by ingress
+ for _, route := range r.HTTPRoutes {
+ params = append(params, route.Name+"/"+route.Namespace)
+ }
+ // End added by ingress
for _, dr := range r.DestinationRules {
params = append(params, dr.Name+"/"+dr.Namespace)
}
diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
--- istio/pkg/config/constants/constants.go 2024-03-04 17:35:34.000000000 +0800
+++ istio-new/pkg/config/constants/constants.go 2024-03-04 16:58:05.000000000 +0800
@@ -15,8 +15,6 @@
package constants
const (
- InternalParentNames = "internal.istio.io/parents"
-
InternalRouteSemantics = "internal.istio.io/route-semantics"
RouteSemanticsGateway = "gateway"
@@ -129,7 +127,7 @@
AlwaysPushLabel = "internal.istio.io/always-push"
// InternalParentName declares the original resource of an internally-generate config. This is used by the gateway-api.
- InternalParentName = "internal.istio.io/parent"
+ InternalParentNames = "internal.istio.io/parents"
// TrustworthyJWTPath is the default 3P token to authenticate with third party services
TrustworthyJWTPath = "./var/run/secrets/tokens/istio-token"

56
istio/1.12/patches/istio/20240308-fix-gateway-api-route-name.patch
View File

@@ -1,56 +0,0 @@
diff -Naur istio/pilot/pkg/config/kube/gateway/conversion.go istio-new/pilot/pkg/config/kube/gateway/conversion.go
--- istio/pilot/pkg/config/kube/gateway/conversion.go 2024-03-08 17:23:49.000000000 +0800
+++ istio-new/pilot/pkg/config/kube/gateway/conversion.go 2024-03-08 17:02:50.000000000 +0800
@@ -16,6 +16,7 @@
import (
"fmt"
+ "path"
"regexp"
"sort"
"strconv"
@@ -28,6 +29,7 @@
gatewayapiV1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
istio "istio.io/api/networking/v1alpha3"
+ "istio.io/istio/pilot/pkg/features"
"istio.io/istio/pilot/pkg/model"
"istio.io/istio/pilot/pkg/model/credentials"
"istio.io/istio/pilot/pkg/model/kstatus"
@@ -290,6 +292,16 @@
return ret
}
+// Added by ingress
+func generateRouteName(obj config.Config) string {
+ if obj.Namespace == features.HigressSystemNs {
+ return obj.Name
+ }
+ return path.Join(obj.Namespace, obj.Name)
+}
+
+// End added by ingress
+
func buildHTTPVirtualServices(ctx *KubernetesResources, obj config.Config, gateways map[parentKey]map[gatewayapiV1beta1.SectionName]*parentInfo, gatewayRoutes map[string]map[string]*config.Config, domain string) {
route := obj.Spec.(*gatewayapiV1beta1.HTTPRouteSpec)
@@ -307,7 +319,7 @@
for _, r := range route.Rules {
// TODO: implement rewrite, timeout, mirror, corspolicy, retries
vs := &istio.HTTPRoute{
- Name: obj.Name,
+ Name: generateRouteName(obj),
}
for _, match := range r.Matches {
uri, err := createURIMatch(match)
diff -Naur istio/pilot/pkg/features/pilot.go istio-new/pilot/pkg/features/pilot.go
--- istio/pilot/pkg/features/pilot.go 2024-03-08 17:23:49.000000000 +0800
+++ istio-new/pilot/pkg/features/pilot.go 2024-03-08 17:00:05.000000000 +0800
@@ -577,6 +577,7 @@
"If enabled, the on demand filter will be added to the HCM filters").Get()
DefaultUpstreamConcurrencyThreshold = env.RegisterIntVar("DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD", 1000000,
"The default threshold of max_requests/max_pending_requests/max_connections of circuit breaker").Get()
+ HigressSystemNs = env.RegisterStringVar("HIGRESS_SYSTEM_NS", "higress-system", "The system namespace of Higress").Get()
// End added by ingress
)

20
istio/1.12/patches/istio/20240422-fix-copyvs.patch
View File

@@ -1,20 +0,0 @@
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-04-22 18:08:26.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-04-22 18:07:46.000000000 +0800
@@ -581,13 +581,13 @@
continue
}
if len(virtualService.Spec.(*networking.VirtualService).Hosts) > 1 {
- copiedVS := &networking.VirtualService{}
- copiedVS = virtualService.Spec.(*networking.VirtualService)
+ copiedVS := networking.VirtualService{}
+ copiedVS = *(virtualService.Spec.(*networking.VirtualService))
copiedVS.Hosts = []string{selectHost}
selectedVirtualServices = append(selectedVirtualServices, virtualServiceContext{
virtualService: config.Config{
Meta: virtualService.Meta,
- Spec: copiedVS,
+ Spec: &copiedVS,
Status: virtualService.Status,
},
server: vsCtx.server,

83
istio/1.12/patches/istio/20240518-optimize-rds-cache.patch
View File

@@ -1,83 +0,0 @@
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-05-18 19:09:14.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-05-18 18:08:30.000000000 +0800
@@ -457,8 +457,46 @@
hostVs := push.VirtualServicesForHost(node, hostRDSHost)
var httpRoutes []config.Config
+ var vsDependent []config.Config
+
+ cacheable := true
for _, vs := range hostVs {
+ vsSpec := vs.Spec.(*networking.VirtualService)
+ for _, vsHttpRoute := range vsSpec.Http {
+ // check if dynamic port exists, we should not cache RDS
+ for _, vsRoute := range vsHttpRoute.Route {
+ if vsRoute.Destination.Port == nil {
+ cacheable = false
+ }
+ for _, fallbackDestination := range vsRoute.FallbackClusters {
+ if fallbackDestination.Port == nil {
+ cacheable = false
+ }
+ }
+ }
+ if vsHttpRoute.Mirror != nil && vsHttpRoute.Mirror.Port == nil {
+ cacheable = false
+ }
+ if vsHttpRoute.Delegate != nil {
+ vsDependent = append(vsDependent, config.Config{
+ Meta: config.Meta{
+ GroupVersionKind: gvk.VirtualService,
+ Name: vsHttpRoute.Delegate.Name,
+ Namespace: vsHttpRoute.Delegate.Namespace,
+ },
+ Spec: networking.VirtualService{},
+ })
+ }
+ }
+ vsDependent = append(vsDependent, config.Config{
+ Meta: config.Meta{
+ GroupVersionKind: gvk.VirtualService,
+ Name: vs.Name,
+ Namespace: vs.Namespace,
+ },
+ Spec: vs.Spec,
+ })
if len(vs.Annotations) == 0 {
continue
}
@@ -489,14 +527,19 @@
ProxyVersion: node.Metadata.IstioVersion,
ListenerPort: rdsPort,
// Use same host vs to cache, although the cache can be cleared when the port is different, this can be accepted
- VirtualServices: hostVs,
+ VirtualServices: vsDependent,
HTTPRoutes: httpRoutes,
EnvoyFilterKeys: efKeys,
}
- resource, exist := configgen.Cache.Get(routeCache)
- if exist {
- return resource, true
+ var resource *discovery.Resource
+ if cacheable {
+ resource, exist := configgen.Cache.Get(routeCache)
+ if exist {
+ return resource, true
+ }
+ } else {
+ log.Warnf("route cache is disabled for RDS:%s", routeName)
}
listenerPort := uint32(rdsPort)
@@ -727,7 +770,7 @@
Resource: util.MessageToAny(routeCfg),
}
- if features.EnableRDSCaching {
+ if features.EnableRDSCaching && cacheable {
configgen.Cache.Add(routeCache, req, resource)
}

752
istio/1.12/patches/istio/20240519-proxy-start-script.patch
View File

@@ -1,752 +0,0 @@
diff -Naur istio/pilot/docker/Dockerfile.proxyv2 istio-new/pilot/docker/Dockerfile.proxyv2
--- istio/pilot/docker/Dockerfile.proxyv2 2024-05-19 16:40:42.706769894 +0800
+++ istio-new/pilot/docker/Dockerfile.proxyv2 2024-05-19 16:07:20.630730574 +0800
@@ -28,6 +28,7 @@
# Copy Envoy bootstrap templates used by pilot-agent
COPY envoy_bootstrap.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
+COPY envoy_bootstrap_lite.json /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json
COPY gcp_envoy_bootstrap.json /var/lib/istio/envoy/gcp_envoy_bootstrap_tmpl.json
# Install Envoy.
@@ -47,5 +48,30 @@
# COPY metadata-exchange-filter.wasm /etc/istio/extensions/metadata-exchange-filter.wasm
# COPY metadata-exchange-filter.compiled.wasm /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
+RUN apt-get update && \
+ apt-get install --no-install-recommends -y \
+ logrotate \
+ cron \
+ && apt-get upgrade -y \
+ && apt-get clean
+
+# Latest releases available at https://github.com/aptible/supercronic/releases
+ENV SUPERCRONIC_URL=https://higress.io/release-binary/supercronic-linux-${TARGETARCH:-amd64} \
+ SUPERCRONIC=supercronic-linux-${TARGETARCH:-amd64}
+
+RUN curl -fsSLO "$SUPERCRONIC_URL" \
+ && chmod +x "$SUPERCRONIC" \
+ && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
+ && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
+
+
+COPY higress-proxy-start.sh /usr/local/bin/higress-proxy-start.sh
+
+COPY higress-proxy-container-init.sh /usr/local/bin/higress-proxy-container-init.sh
+
+RUN chmod a+x /usr/local/bin/higress-proxy-container-init.sh;/usr/local/bin/higress-proxy-container-init.sh
+
+RUN chmod a+x /usr/local/bin/higress-proxy-start.sh
+
# The pilot-agent will bootstrap Envoy.
-ENTRYPOINT ["/usr/local/bin/pilot-agent"]
+ENTRYPOINT ["/usr/local/bin/higress-proxy-start.sh"]
diff -Naur istio/tools/istio-docker.mk istio-new/tools/istio-docker.mk
--- istio/tools/istio-docker.mk 2024-05-19 16:40:42.734769895 +0800
+++ istio-new/tools/istio-docker.mk 2024-05-19 16:02:43.222725126 +0800
@@ -96,6 +96,9 @@
docker.proxyv2: BUILD_ARGS=--build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} --build-arg istio_version=${VERSION} --build-arg BASE_VERSION=${BASE_VERSION} --build-arg SIDECAR=${SIDECAR} --build-arg HUB=${HUB}
docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap.json
docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/gcp_envoy_bootstrap.json
+docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-start.sh
+docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/higress-proxy-container-init.sh
+docker.proxyv2: ${ISTIO_ENVOY_BOOTSTRAP_CONFIG_DIR}/envoy_bootstrap_lite.json
docker.proxyv2: ${ISTIO_ENVOY_LINUX_ARM64_RELEASE_DIR}/${SIDECAR}
docker.proxyv2: ${ISTIO_ENVOY_LINUX_AMD64_RELEASE_DIR}/${SIDECAR}
docker.proxyv2: $(ISTIO_OUT_LINUX)/pilot-agent
diff -Naur istio/tools/packaging/common/envoy_bootstrap_lite.json istio-new/tools/packaging/common/envoy_bootstrap_lite.json
--- istio/tools/packaging/common/envoy_bootstrap_lite.json 1970-01-01 08:00:00.000000000 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap_lite.json 2024-05-19 16:36:39.274765113 +0800
@@ -0,0 +1,642 @@
+{
+ "node": {
+ "id": "{{ .nodeID }}",
+ "cluster": "{{ .cluster }}",
+ "locality": {
+ {{- if .region }}
+ "region": "{{ .region }}"
+ {{- end }}
+ {{- if .zone }}
+ {{- if .region }}
+ ,
+ {{- end }}
+ "zone": "{{ .zone }}"
+ {{- end }}
+ {{- if .sub_zone }}
+ {{- if or .region .zone }}
+ ,
+ {{- end }}
+ "sub_zone": "{{ .sub_zone }}"
+ {{- end }}
+ },
+ "metadata": {{ .meta_json_str }}
+ },
+ "layered_runtime": {
+ "layers": [
+ {
+ "name": "global config",
+ "static_layer": {{ .runtime_flags }}
+ },
+ {
+ "name": "admin",
+ "admin_layer": {}
+ }
+ ]
+ },
+ "stats_config": {
+ "use_all_default_tags": false,
+ "stats_tags": [
+ {
+ "tag_name": "response_code_class",
+ "regex": "_rq(_(\\dxx))$"
+ },
+ {
+ "tag_name": "listener_address",
+ "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
+ },
+ {
+ "tag_name": "http_conn_manager_prefix",
+ "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
+ },
+ {
+ "tag_name": "cluster_name",
+ "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
+ }
+ ],
+ "stats_matcher": {
+ "exclusion_list": {
+ "patterns": [
+ {
+ "prefix": "vhost"
+ },
+ {
+ "safe_regex": {"regex": "^http.*rds.*", "google_re2":{}}
+ }
+ ]
+ }
+ }
+ },
+ "admin": {
+ "access_log_path": "/dev/null",
+ "profile_path": "/var/lib/istio/data/envoy.prof",
+ "address": {
+ "socket_address": {
+ "address": "{{ .localhost }}",
+ "port_value": {{ .config.ProxyAdminPort }}
+ }
+ }
+ },
+ "dynamic_resources": {
+ "lds_config": {
+ "ads": {},
+ "initial_fetch_timeout": "0s",
+ "resource_api_version": "V3"
+ },
+ "cds_config": {
+ "ads": {},
+ "initial_fetch_timeout": "0s",
+ "resource_api_version": "V3"
+ },
+ "ads_config": {
+ "api_type": "{{ .xds_type }}",
+ "set_node_on_first_message_only": true,
+ "transport_api_version": "V3",
+ "grpc_services": [
+ {
+ "envoy_grpc": {
+ "cluster_name": "xds-grpc"
+ }
+ }
+ ]
+ }
+ },
+ "static_resources": {
+ "clusters": [
+ {
+ "name": "prometheus_stats",
+ "type": "STATIC",
+ "connect_timeout": "0.250s",
+ "lb_policy": "ROUND_ROBIN",
+ "load_assignment": {
+ "cluster_name": "prometheus_stats",
+ "endpoints": [{
+ "lb_endpoints": [{
+ "endpoint": {
+ "address":{
+ "socket_address": {
+ "protocol": "TCP",
+ "address": "{{ .localhost }}",
+ "port_value": {{ .config.ProxyAdminPort }}
+ }
+ }
+ }
+ }]
+ }]
+ }
+ },
+ {
+ "name": "agent",
+ "type": "STATIC",
+ "connect_timeout": "0.250s",
+ "lb_policy": "ROUND_ROBIN",
+ "load_assignment": {
+ "cluster_name": "agent",
+ "endpoints": [{
+ "lb_endpoints": [{
+ "endpoint": {
+ "address":{
+ "socket_address": {
+ "protocol": "TCP",
+ "address": "{{ .localhost }}",
+ "port_value": {{ .config.StatusPort }}
+ }
+ }
+ }
+ }]
+ }]
+ }
+ },
+ {
+ "name": "sds-grpc",
+ "type": "STATIC",
+ "typed_extension_protocol_options": {
+ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+ "explicit_http_config": {
+ "http2_protocol_options": {}
+ }
+ }
+ },
+ "connect_timeout": "1s",
+ "lb_policy": "ROUND_ROBIN",
+ "load_assignment": {
+ "cluster_name": "sds-grpc",
+ "endpoints": [{
+ "lb_endpoints": [{
+ "endpoint": {
+ "address":{
+ "pipe": {
+ "path": "{{ .config.ConfigPath }}/SDS"
+ }
+ }
+ }
+ }]
+ }]
+ }
+ },
+ {
+ "name": "xds-grpc",
+ "type" : "STATIC",
+ "connect_timeout": "1s",
+ "lb_policy": "ROUND_ROBIN",
+ "load_assignment": {
+ "cluster_name": "xds-grpc",
+ "endpoints": [{
+ "lb_endpoints": [{
+ "endpoint": {
+ "address":{
+ "pipe": {
+ "path": "{{ .config.ConfigPath }}/XDS"
+ }
+ }
+ }
+ }]
+ }]
+ },
+ "circuit_breakers": {
+ "thresholds": [
+ {
+ "priority": "DEFAULT",
+ "max_connections": 100000,
+ "max_pending_requests": 100000,
+ "max_requests": 100000
+ },
+ {
+ "priority": "HIGH",
+ "max_connections": 100000,
+ "max_pending_requests": 100000,
+ "max_requests": 100000
+ }
+ ]
+ },
+ "upstream_connection_options": {
+ "tcp_keepalive": {
+ "keepalive_time": 300
+ }
+ },
+ "max_requests_per_connection": 1,
+ "typed_extension_protocol_options": {
+ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+ "explicit_http_config": {
+ "http2_protocol_options": {}
+ }
+ }
+ }
+ }
+ {{ if .zipkin }}
+ ,
+ {
+ "name": "zipkin",
+ {{- if .tracing_tls }}
+ "transport_socket": {{ .tracing_tls }},
+ {{- end }}
+ "type": "STRICT_DNS",
+ "respect_dns_ttl": true,
+ "dns_lookup_family": "{{ .dns_lookup_family }}",
+ "dns_refresh_rate": "30s",
+ "connect_timeout": "1s",
+ "lb_policy": "ROUND_ROBIN",
+ "load_assignment": {
+ "cluster_name": "zipkin",
+ "endpoints": [{
+ "lb_endpoints": [{
+ "endpoint": {
+ "address":{
+ "socket_address": {{ .zipkin }}
+ }
+ }
+ }]
+ }]
+ }
+ }
+ {{ else if .lightstep }}
+ ,
+ {
+ "name": "lightstep",
+ {{- if .tracing_tls }}
+ "transport_socket": {{ .tracing_tls }},
+ {{- end }}
+ "typed_extension_protocol_options": {
+ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+ "explicit_http_config": {
+ "http2_protocol_options": {}
+ }
+ }
+ },
+ "type": "STRICT_DNS",
+ "respect_dns_ttl": true,
+ "dns_lookup_family": "{{ .dns_lookup_family }}",
+ "connect_timeout": "1s",
+ "lb_policy": "ROUND_ROBIN",
+ "load_assignment": {
+ "cluster_name": "lightstep",
+ "endpoints": [{
+ "lb_endpoints": [{
+ "endpoint": {
+ "address":{
+ "socket_address": {{ .lightstep }}
+ }
+ }
+ }]
+ }]
+ }
+ }
+ {{ else if .datadog }}
+ ,
+ {
+ "name": "datadog_agent",
+ {{- if .tracing_tls }}
+ "transport_socket": {{ .tracing_tls }},
+ {{- end }}
+ "connect_timeout": "1s",
+ "type": "STRICT_DNS",
+ "respect_dns_ttl": true,
+ "dns_lookup_family": "{{ .dns_lookup_family }}",
+ "lb_policy": "ROUND_ROBIN",
+ "load_assignment": {
+ "cluster_name": "datadog_agent",
+ "endpoints": [{
+ "lb_endpoints": [{
+ "endpoint": {
+ "address":{
+ "socket_address": {{ .datadog }}
+ }
+ }
+ }]
+ }]
+ }
+ }
+ {{ end }}
+ {{- if .envoy_metrics_service_address }}
+ ,
+ {
+ "name": "envoy_metrics_service",
+ "type": "STRICT_DNS",
+ {{- if .envoy_metrics_service_tls }}
+ "transport_socket": {{ .envoy_metrics_service_tls }},
+ {{- end }}
+ {{- if .envoy_metrics_service_tcp_keepalive }}
+ "upstream_connection_options": {{ .envoy_metrics_service_tcp_keepalive }},
+ {{- end }}
+ "respect_dns_ttl": true,
+ "dns_lookup_family": "{{ .dns_lookup_family }}",
+ "connect_timeout": "1s",
+ "lb_policy": "ROUND_ROBIN",
+ "typed_extension_protocol_options": {
+ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+ "explicit_http_config": {
+ "http2_protocol_options": {}
+ }
+ }
+ },
+ "load_assignment": {
+ "cluster_name": "envoy_metrics_service",
+ "endpoints": [{
+ "lb_endpoints": [{
+ "endpoint": {
+ "address":{
+ "socket_address": {{ .envoy_metrics_service_address }}
+ }
+ }
+ }]
+ }]
+ }
+ }
+ {{ end }}
+ {{ if .envoy_accesslog_service_address }}
+ ,
+ {
+ "name": "envoy_accesslog_service",
+ "type": "STRICT_DNS",
+ {{- if .envoy_accesslog_service_tls }}
+ "transport_socket": {{ .envoy_accesslog_service_tls }},
+ {{- end }}
+ {{- if .envoy_accesslog_service_tcp_keepalive }}
+ "upstream_connection_options": {{ .envoy_accesslog_service_tcp_keepalive }},
+ {{ end }}
+ "respect_dns_ttl": true,
+ "dns_lookup_family": "{{ .dns_lookup_family }}",
+ "connect_timeout": "1s",
+ "lb_policy": "ROUND_ROBIN",
+ "typed_extension_protocol_options": {
+ "envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
+ "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
+ "explicit_http_config": {
+ "http2_protocol_options": {}
+ }
+ }
+ },
+ "load_assignment": {
+ "cluster_name": "envoy_accesslog_service",
+ "endpoints": [{
+ "lb_endpoints": [{
+ "endpoint": {
+ "address":{
+ "socket_address": {{ .envoy_accesslog_service_address }}
+ }
+ }
+ }]
+ }]
+ }
+ }
+ {{ end }}
+ ],
+ "listeners":[
+ {
+ "address": {
+ "socket_address": {
+ "protocol": "TCP",
+ "address": "{{ .wildcard }}",
+ "port_value": {{ .envoy_prometheus_port }}
+ }
+ },
+ "filter_chains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.http_connection_manager",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+ "codec_type": "AUTO",
+ "stat_prefix": "stats",
+ "route_config": {
+ "virtual_hosts": [
+ {
+ "name": "backend",
+ "domains": [
+ "*"
+ ],
+ "routes": [
+ {
+ "match": {
+ "prefix": "/stats/prometheus"
+ },
+ "route": {
+ "cluster": "prometheus_stats"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "http_filters": [{
+ "name": "envoy.filters.http.router",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+ }
+ }]
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "address": {
+ "socket_address": {
+ "protocol": "TCP",
+ "address": "{{ .wildcard }}",
+ "port_value": {{ .envoy_status_port }}
+ }
+ },
+ "filter_chains": [
+ {
+ "filters": [
+ {
+ "name": "envoy.filters.network.http_connection_manager",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+ "codec_type": "AUTO",
+ "stat_prefix": "agent",
+ "route_config": {
+ "virtual_hosts": [
+ {
+ "name": "backend",
+ "domains": [
+ "*"
+ ],
+ "routes": [
+ {
+ "match": {
+ "prefix": "/healthz/ready"
+ },
+ "route": {
+ "cluster": "agent"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ "http_filters": [{
+ "name": "envoy.filters.http.router",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+ }
+ }]
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ {{- if .zipkin }}
+ ,
+ "tracing": {
+ "http": {
+ "name": "envoy.tracers.zipkin",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.config.trace.v3.ZipkinConfig",
+ "collector_cluster": "zipkin",
+ "collector_endpoint": "/api/v2/spans",
+ "collector_endpoint_version": "HTTP_JSON",
+ "trace_id_128bit": true,
+ "shared_span_context": false
+ }
+ }
+ }
+ {{- else if .lightstep }}
+ ,
+ "tracing": {
+ "http": {
+ "name": "envoy.tracers.lightstep",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.config.trace.v3.LightstepConfig",
+ "collector_cluster": "lightstep",
+ "access_token_file": "{{ .lightstepToken}}"
+ }
+ }
+ }
+ {{- else if .datadog }}
+ ,
+ "tracing": {
+ "http": {
+ "name": "envoy.tracers.datadog",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.config.trace.v3.DatadogConfig",
+ "collector_cluster": "datadog_agent",
+ "service_name": "{{ .cluster }}"
+ }
+ }
+ }
+ {{- else if .openCensusAgent }}
+ ,
+ "tracing": {
+ "http": {
+ "name": "envoy.tracers.opencensus",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig",
+ "ocagent_exporter_enabled": true,
+ "ocagent_address": "{{ .openCensusAgent }}",
+ "incoming_trace_context": {{ .openCensusAgentContexts }},
+ "outgoing_trace_context": {{ .openCensusAgentContexts }},
+ "trace_config": {
+ "constant_sampler": {
+ "decision": "ALWAYS_PARENT"
+ },
+ "max_number_of_annotations": 200,
+ "max_number_of_attributes": 200,
+ "max_number_of_message_events": 200,
+ "max_number_of_links": 200
+ }
+ }
+ }
+ }
+ {{- else if .stackdriver }}
+ ,
+ "tracing": {
+ "http": {
+ "name": "envoy.tracers.opencensus",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig",
+ "stackdriver_exporter_enabled": true,
+ "stackdriver_project_id": "{{ .stackdriverProjectID }}",
+ {{ if .sts_port }}
+ "stackdriver_grpc_service": {
+ "google_grpc": {
+ "target_uri": "cloudtrace.googleapis.com",
+ "stat_prefix": "oc_stackdriver_tracer",
+ "channel_credentials": {
+ "ssl_credentials": {}
+ },
+ "call_credentials": [{
+ "sts_service": {
+ "token_exchange_service_uri": "http://localhost:{{ .sts_port }}/token",
+ "subject_token_path": "/var/run/secrets/tokens/istio-token",
+ "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
+ "scope": "https://www.googleapis.com/auth/cloud-platform"
+ }
+ }]
+ },
+ "initial_metadata": [
+ {{ if .gcp_project_id }}
+ {
+ "key": "x-goog-user-project",
+ "value": "{{ .gcp_project_id }}"
+ }
+ {{ end }}
+ ]
+ },
+ {{ end }}
+ "stdout_exporter_enabled": {{ .stackdriverDebug }},
+ "incoming_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"],
+ "outgoing_trace_context": ["CLOUD_TRACE_CONTEXT", "TRACE_CONTEXT", "GRPC_TRACE_BIN", "B3"],
+ "trace_config":{
+ "constant_sampler":{
+ "decision": "ALWAYS_PARENT"
+ },
+ "max_number_of_annotations": {{ .stackdriverMaxAnnotations }},
+ "max_number_of_attributes": {{ .stackdriverMaxAttributes }},
+ "max_number_of_message_events": {{ .stackdriverMaxEvents }},
+ "max_number_of_links": 200
+ }
+ }
+ }}
+ {{ end }}
+ {{ if or .envoy_metrics_service_address .statsd }}
+ ,
+ "stats_sinks": [
+ {{ if .envoy_metrics_service_address }}
+ {
+ "name": "envoy.stat_sinks.metrics_service",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig",
+ "transport_api_version": "V3",
+ "grpc_service": {
+ "envoy_grpc": {
+ "cluster_name": "envoy_metrics_service"
+ }
+ }
+ }
+ }
+ {{ end }}
+ {{ if and .envoy_metrics_service_address .statsd }}
+ ,
+ {{ end }}
+ {{ if .statsd }}
+ {
+ "name": "envoy.stat_sinks.statsd",
+ "typed_config": {
+ "@type": "type.googleapis.com/envoy.config.metrics.v3.StatsdSink",
+ "address": {
+ "socket_address": {{ .statsd }}
+ }
+ }
+ }
+ {{ end }}
+ ]
+ {{ end }}
+ {{ if .outlier_log_path }}
+ ,
+ "cluster_manager": {
+ "outlier_detection": {
+ "event_log_path": "{{ .outlier_log_path }}"
+ }
+ }
+ {{ end }}
+}
diff -Naur istio/tools/packaging/common/higress-proxy-container-init.sh istio-new/tools/packaging/common/higress-proxy-container-init.sh
--- istio/tools/packaging/common/higress-proxy-container-init.sh 1970-01-01 08:00:00.000000000 +0800
+++ istio-new/tools/packaging/common/higress-proxy-container-init.sh 2024-05-19 16:30:06.202757394 +0800
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+mkdir -p /var/log/proxy
+
+mkdir -p /var/lib/istio
+
+chown -R 1337.1337 /var/log/proxy
+
+chown -R 1337.1337 /var/lib/logrotate
+
+chown -R 1337.1337 /var/lib/istio
+
+cat <<EOF > /etc/logrotate.d/higress-logrotate
+/var/log/proxy/access.log
+{
+su 1337 1337
+rotate 5
+create 644 1337 1337
+nocompress
+notifempty
+minsize 100M
+postrotate
+ ps aux|grep "envoy -c"|grep -v "grep"|awk '{print $2}'|xargs -i kill -SIGUSR1 {}
+endscript
+}
+EOF
+
+chmod -R 0644 /etc/logrotate.d/higress-logrotate
+
+cat <<EOF > /var/lib/istio/cron.txt
+* * * * * /usr/sbin/logrotate /etc/logrotate.d/higress-logrotate
+EOF
diff -Naur istio/tools/packaging/common/higress-proxy-start.sh istio-new/tools/packaging/common/higress-proxy-start.sh
--- istio/tools/packaging/common/higress-proxy-start.sh 1970-01-01 08:00:00.000000000 +0800
+++ istio-new/tools/packaging/common/higress-proxy-start.sh 2024-05-19 16:33:18.802761176 +0800
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+if [ -n "$LITE_METRICS" ]; then
+ cp /var/lib/istio/envoy/envoy_bootstrap_lite_tmpl.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
+fi
+
+nohup supercronic /var/lib/istio/cron.txt &> /dev/null &
+
+/usr/local/bin/pilot-agent $*
+

83
istio/1.12/patches/istio/20240521-optimize-bootstrap.patch
View File

@@ -1,83 +0,0 @@
diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio-new/tools/packaging/common/envoy_bootstrap.json
--- istio/tools/packaging/common/envoy_bootstrap.json 2024-05-21 23:46:21.000000000 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap.json 2024-05-21 23:47:54.000000000 +0800
@@ -37,55 +37,15 @@
"use_all_default_tags": false,
"stats_tags": [
{
- "tag_name": "phase",
- "regex": "(_phase=([a-z_]+))"
- },
- {
- "tag_name": "ruleid",
- "regex": "(_ruleid=([0-9]+))"
- },
- {
- "tag_name": "route",
- "regex": "^vhost\\..*?\\.route\\.([^\\.]+\\.)upstream"
- },
- {
- "tag_name": "ecds_name",
- "regex": "extension_config_discovery\\.(.*?\\.)[^\\.]+$"
- },
- {
- "tag_name": "rds_name",
- "regex": "rds\\.(.*?\\.)[^\\.]+$"
- },
- {
- "tag_name": "sds_name",
- "regex": "sds\\.(.*?\\.)[^\\.]+$"
- },
- {
- "tag_name": "vhost",
- "regex": "^vhost\\.((.*?)\\.)(vcluster|route)"
- },
- {
- "tag_name": "vcluster",
- "regex": "vcluster\\.((.*?)\\.)upstream"
- },
- {
- "tag_name": "dest_zone",
- "regex": "zone\\.[^\\.]+\\.([^\\.]+\\.)"
- },
- {
- "tag_name": "from_zone",
- "regex": "zone\\.([^\\.]+\\.)"
- },
- {
"tag_name": "cluster_name",
- "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
+ "regex": "^cluster\\.((.+?(\\..+?\\.svc\\.cluster\\.local)?)\\.)"
},
{
"tag_name": "tcp_prefix",
"regex": "^tcp\\.((.*?)\\.)\\w+?$"
},
{
- "regex": "(response_code=\\.=(.+?);\\.;)|_rq(_(\\.d{3}))$",
+ "regex": "_rq(_(\\d{3}))$",
"tag_name": "response_code"
},
{
@@ -98,7 +58,7 @@
},
{
"tag_name": "http_conn_manager_prefix",
- "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
+ "regex": "^http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
},
{
"tag_name": "listener_address",
@@ -108,12 +68,6 @@
"tag_name": "mongo_prefix",
"regex": "^mongo\\.(.+?)\\.(collection|cmd|cx_|op_|delays_|decoding_)(.*?)$"
},
- {{- range $a, $tag := .extraStatTags }}
- {
- "regex": "({{ $tag }}=\\.=(.*?);\\.;)",
- "tag_name": "{{ $tag }}"
- },
- {{- end }}
{
"regex": "(cache\\.(.+?)\\.)",
"tag_name": "cache"

69
istio/1.12/patches/istio/20240527-fix-vs-merge.patch
View File

@@ -1,69 +0,0 @@
diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
--- istio/pilot/pkg/model/push_context.go 2024-05-27 23:03:09.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go 2024-05-27 21:33:45.000000000 +0800
@@ -1482,8 +1482,14 @@
ns := virtualService.Namespace
rule := virtualService.Spec.(*networking.VirtualService)
// Added by ingress
- for _, host := range rule.Hosts {
- ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
+ if len(rule.Gateways) > 0 {
+ if len(rule.Hosts) == 0 {
+ ps.virtualServiceIndex.byHost[constants.GlobalWildcardHost] = append(ps.virtualServiceIndex.byHost[constants.GlobalWildcardHost], virtualService)
+ } else {
+ for _, host := range rule.Hosts {
+ ps.virtualServiceIndex.byHost[host] = append(ps.virtualServiceIndex.byHost[host], virtualService)
+ }
+ }
}
// End added by ingress
gwNames := getGatewayNames(rule)
diff -Naur istio/pilot/pkg/networking/core/v1alpha3/gateway.go istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go
--- istio/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-05-27 23:03:09.000000000 +0800
+++ istio-new/pilot/pkg/networking/core/v1alpha3/gateway.go 2024-05-27 22:58:33.000000000 +0800
@@ -376,8 +376,15 @@
gatewayVirtualServices[gatewayName] = virtualServices
}
for _, virtualService := range virtualServices {
- for _, host := range virtualService.Spec.(*networking.VirtualService).Hosts {
- hostSet.Insert(host)
+ rule := virtualService.Spec.(*networking.VirtualService)
+ if len(rule.Gateways) > 0 {
+ if len(rule.Hosts) == 0 {
+ hostSet.Insert(constants.GlobalWildcardHost)
+ break
+ }
+ for _, host := range rule.Hosts {
+ hostSet.Insert(host)
+ }
}
}
}
@@ -689,7 +696,7 @@
vHost = &route.VirtualHost{
Name: util.DomainName(hostRDSHost, port),
Domains: buildGatewayVirtualHostDomains(hostRDSHost, port),
- Routes: routes,
+ Routes: append(routes[:0:0], routes...),
IncludeRequestAttemptCount: true,
TypedPerFilterConfig: mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
}
@@ -884,7 +891,7 @@
newVHost := &route.VirtualHost{
Name: util.DomainName(string(hostname), port),
Domains: buildGatewayVirtualHostDomains(string(hostname), port),
- Routes: routes,
+ Routes: append(routes[:0:0], routes...),
IncludeRequestAttemptCount: true,
TypedPerFilterConfig: mseingress.ConstructTypedPerFilterConfigForVHost(globalHTTPFilters, virtualService),
}
diff -Naur istio/pkg/config/constants/constants.go istio-new/pkg/config/constants/constants.go
--- istio/pkg/config/constants/constants.go 2024-05-27 23:03:09.000000000 +0800
+++ istio-new/pkg/config/constants/constants.go 2024-05-27 21:31:58.000000000 +0800
@@ -145,5 +145,6 @@
// Added by ingress
HigressHostRDSNamePrefix = "higress-rds-"
DefaultScopedRouteName = "scoped-route"
+ GlobalWildcardHost = "*"
// End added by ingress
)

17
istio/1.12/patches/istio/20240529-optimize-mcp-cds.patch
View File

@@ -1,17 +0,0 @@
diff -Naur istio/pilot/pkg/model/push_context.go istio-new/pilot/pkg/model/push_context.go
--- istio/pilot/pkg/model/push_context.go 2024-05-29 19:29:45.000000000 +0800
+++ istio-new/pilot/pkg/model/push_context.go 2024-05-29 19:11:03.000000000 +0800
@@ -769,6 +769,13 @@
for _, s := range svcs {
svcHost := string(s.Hostname)
+ // Added by ingress
+ if s.Attributes.Namespace == "mcp" {
+ gwSvcs = append(gwSvcs, s)
+ continue
+ }
+ // End added by ingress
+
if _, ok := hostsFromGateways[svcHost]; ok {
gwSvcs = append(gwSvcs, s)
}

21
istio/1.12/patches/istio/20240607-fix-stats.patch
View File

@@ -1,21 +0,0 @@
diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio-new/tools/packaging/common/envoy_bootstrap.json
--- istio/tools/packaging/common/envoy_bootstrap.json 2024-06-07 16:50:21.000000000 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap.json 2024-06-07 16:47:42.000000000 +0800
@@ -38,7 +38,7 @@
"stats_tags": [
{
"tag_name": "cluster_name",
- "regex": "^cluster\\.((.+?(\\..+?\\.svc\\.cluster\\.local)?)\\.)"
+ "regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
},
{
"tag_name": "tcp_prefix",
@@ -58,7 +58,7 @@
},
{
"tag_name": "http_conn_manager_prefix",
- "regex": "^http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)"
+ "regex": "^http\\.(((outbound_([0-9]{1,3}\\.{0,1}){4}_\\d{0,5})|([^\\.]+))\\.)"
},
{
"tag_name": "listener_address",

53
istio/1.12/patches/istio/20240619-ai-stats.patch
View File

@@ -1,53 +0,0 @@
diff -Naur istio/tools/packaging/common/envoy_bootstrap.json istio-new/tools/packaging/common/envoy_bootstrap.json
--- istio/tools/packaging/common/envoy_bootstrap.json 2024-06-19 13:39:49.179159469 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap.json 2024-06-19 13:39:28.299159059 +0800
@@ -37,6 +37,18 @@
"use_all_default_tags": false,
"stats_tags": [
{
+ "tag_name": "ai_route",
+ "regex": "^wasmcustom\\.route\\.((.*?)\\.)upstream"
+ },
+ {
+ "tag_name": "ai_cluster",
+ "regex": "^wasmcustom\\..*?\\.upstream\\.((.*?)\\.)model"
+ },
+ {
+ "tag_name": "ai_model",
+ "regex": "^wasmcustom\\..*?\\.model\\.((.*?)\\.)(input_token|output_token)"
+ },
+ {
"tag_name": "cluster_name",
"regex": "^cluster\\.((.*?)\\.)(http1\\.|http2\\.|health_check\\.|zone\\.|external\\.|circuit_breakers\\.|[^\\.]+$)"
},
diff -Naur istio/tools/packaging/common/envoy_bootstrap_lite.json istio-new/tools/packaging/common/envoy_bootstrap_lite.json
--- istio/tools/packaging/common/envoy_bootstrap_lite.json 2024-06-19 13:39:49.175159469 +0800
+++ istio-new/tools/packaging/common/envoy_bootstrap_lite.json 2024-06-19 13:38:52.283158352 +0800
@@ -37,6 +37,18 @@
"use_all_default_tags": false,
"stats_tags": [
{
+ "tag_name": "ai_route",
+ "regex": "^wasmcustom\\.route\\.((.*?)\\.)upstream"
+ },
+ {
+ "tag_name": "ai_cluster",
+ "regex": "^wasmcustom\\..*?\\.upstream\\.((.*?)\\.)model"
+ },
+ {
+ "tag_name": "ai_model",
+ "regex": "^wasmcustom\\..*?\\.model\\.((.*?)\\.)(input_token|output_token)"
+ },
+ {
"tag_name": "response_code_class",
"regex": "_rq(_(\\dxx))$"
},
@@ -60,7 +72,7 @@
"prefix": "vhost"
},
{
- "safe_regex": {"regex": "^http.*rds.*", "google_re2":{}}
+ "safe_regex": {"regex": "^http.*\\.rds\\..*", "google_re2":{}}
}
]
}

74
istio/1.12/patches/pkg/20221027-init.patch
View File

@@ -1,74 +0,0 @@
diff --git a/log/config.go b/log/config.go
index f0d9c0c..8e008c9 100644
--- a/log/config.go
+++ b/log/config.go
@@ -141,6 +141,12 @@ func prepZap(options *Options) (zapcore.Core, zapcore.Core, zapcore.WriteSyncer,
} else {
encCfg := defaultEncoderConfig
+ // Added by ingress
+ // Support local time format
+ if options.LocalTime {
+ encCfg.EncodeTime = formatLocalDate
+ }
+
if options.JSONEncoding {
enc = zapcore.NewJSONEncoder(encCfg)
useJSON.Store(true)
@@ -239,6 +245,42 @@ func formatDate(t time.Time, enc zapcore.PrimitiveArrayEncoder) {
enc.AppendString(string(buf))
}
+func formatLocalDate(t time.Time, enc zapcore.PrimitiveArrayEncoder) {
+ t = t.Local()
+ year, month, day := t.Date()
+ hour, minute, second := t.Clock()
+ micros := t.Nanosecond() / 1000
+ buf := make([]byte, 27)
+ buf[0] = byte((year/1000)%10) + '0'
+ buf[1] = byte((year/100)%10) + '0'
+ buf[2] = byte((year/10)%10) + '0'
+ buf[3] = byte(year%10) + '0'
+ buf[4] = '-'
+ buf[5] = byte((month)/10) + '0'
+ buf[6] = byte((month)%10) + '0'
+ buf[7] = '-'
+ buf[8] = byte((day)/10) + '0'
+ buf[9] = byte((day)%10) + '0'
+ buf[10] = 'T'
+ buf[11] = byte((hour)/10) + '0'
+ buf[12] = byte((hour)%10) + '0'
+ buf[13] = ':'
+ buf[14] = byte((minute)/10) + '0'
+ buf[15] = byte((minute)%10) + '0'
+ buf[16] = ':'
+ buf[17] = byte((second)/10) + '0'
+ buf[18] = byte((second)%10) + '0'
+ buf[19] = '.'
+ buf[20] = byte((micros/100000)%10) + '0'
+ buf[21] = byte((micros/10000)%10) + '0'
+ buf[22] = byte((micros/1000)%10) + '0'
+ buf[23] = byte((micros/100)%10) + '0'
+ buf[24] = byte((micros/10)%10) + '0'
+ buf[25] = byte((micros)%10) + '0'
+ buf[26] = 'Z'
+ enc.AppendString(string(buf))
+}
+
func updateScopes(options *Options) error {
// snapshot what's there
allScopes := Scopes()
diff --git a/log/options.go b/log/options.go
index e1833fe..999e4b2 100644
--- a/log/options.go
+++ b/log/options.go
@@ -133,6 +133,9 @@ type Options struct {
teeToUDSServer bool
udsSocketAddress string
udsServerPath string
+
+ // localTime determines whether the time format of istio log is local time format.
+ LocalTime bool
}
// DefaultOptions returns a new set of options, initialized to the defaults

309
istio/1.12/patches/proxy/20221027-init.patch
View File

@@ -1,309 +0,0 @@
diff --git a/Makefile.core.mk b/Makefile.core.mk
index 60709804..ba73de92 100644
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -206,6 +206,10 @@ test_release_centos:
push_release: build
export PATH=$(PATH) CC=$(CC) CXX=$(CXX) BAZEL_BUILD_ARGS="$(BAZEL_BUILD_ARGS)" && ./scripts/release-binary.sh -d "$(RELEASE_GCS_PATH)" -p
+push_release_simple: build
+ export PATH=$(PATH) CC=$(CC) CXX=$(CXX) BAZEL_BUILD_ARGS="$(BAZEL_BUILD_ARGS)" && ./scripts/release-binary.sh -p
+
+
push_release_centos:
export PATH=$(PATH) CC=$(CC) CXX=$(CXX) BAZEL_BUILD_ARGS="$(BAZEL_BUILD_ARGS) $(CENTOS_BUILD_ARGS)" BUILD_ENVOY_BINARY_ONLY=1 BASE_BINARY_NAME=envoy-centos && ./scripts/release-binary.sh -c -d "$(RELEASE_GCS_PATH)"
diff --git a/WORKSPACE b/WORKSPACE
index 0455bd98..0d248bed 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -49,11 +49,16 @@ ENVOY_REPO = "envoy"
# To override with local envoy, just pass `--override_repository=envoy=/PATH/TO/ENVOY` to Bazel or
# persist the option in `user.bazelrc`.
-http_archive(
+# http_archive(
+# name = "envoy",
+# sha256 = ENVOY_SHA256,
+# strip_prefix = ENVOY_REPO + "-" + ENVOY_SHA,
+# url = "https://github.com/" + ENVOY_ORG + "/" + ENVOY_REPO + "/archive/" + ENVOY_SHA + ".tar.gz",
+# )
+
+local_repository(
name = "envoy",
- sha256 = ENVOY_SHA256,
- strip_prefix = ENVOY_REPO + "-" + ENVOY_SHA,
- url = "https://github.com/" + ENVOY_ORG + "/" + ENVOY_REPO + "/archive/" + ENVOY_SHA + ".tar.gz",
+ path = "../envoy",
)
load("@envoy//bazel:api_binding.bzl", "envoy_api_binding")
diff --git a/bazel/extension_config/extensions_build_config.bzl b/bazel/extension_config/extensions_build_config.bzl
index 07003785..f0a56715 100644
--- a/bazel/extension_config/extensions_build_config.bzl
+++ b/bazel/extension_config/extensions_build_config.bzl
@@ -342,6 +342,11 @@ ENVOY_CONTRIB_EXTENSIONS = {
#
"envoy.bootstrap.vcl": "//contrib/vcl/source:config",
+
+ # waf extension
+
+ # Custom cluster plugins
+ "envoy.router.cluster_specifier_plugin.cluster_fallback": "//contrib/custom_cluster_plugins/cluster_fallback/source:config",
}
@@ -362,6 +367,7 @@ ISTIO_ENABLED_CONTRIB_EXTENSIONS = [
"envoy.filters.network.sip_proxy",
"envoy.filters.sip.router",
"envoy.tls.key_providers.cryptomb",
+ "envoy.router.cluster_specifier_plugin.cluster_fallback",
]
EXTENSIONS = dict([(k,v) for k,v in ENVOY_EXTENSIONS.items() if not k in ISTIO_DISABLED_EXTENSIONS] +
diff --git a/common/scripts/run.sh b/common/scripts/run.sh
index 271fe77a..79e43d7b 100755
--- a/common/scripts/run.sh
+++ b/common/scripts/run.sh
@@ -36,6 +36,10 @@ export REPO_ROOT=/work
MOUNT_SOURCE="${MOUNT_SOURCE:-${PWD}}"
MOUNT_DEST="${MOUNT_DEST:-/work}"
+CONTAINER_OPTIONS="${CONTAINER_OPTIONS:---net=host}"
+MOUNT_ENVOY_SOURCE="${MOUNT_ENVOY_SOURCE:-`cd $MOUNT_SOURCE/../envoy;pwd`}"
+MOUNT_PACKAGE_SOURCE="${MOUNT_PACKAGE_SOURCE:-`cd $MOUNT_SOURCE/../package;pwd`}"
+MOUNT_ROOT_SOURCE="${MOUNT_ROOT_SOURCE:-`cd $MOUNT_SOURCE/..;pwd`}"
read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
@@ -55,7 +59,11 @@ read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
--env-file <(env | grep -v ${ENV_BLOCKLIST}) \
-e IN_BUILD_CONTAINER=1 \
-e TZ="${TIMEZONE:-$TZ}" \
+ --mount "type=bind,source=${MOUNT_PACKAGE_SOURCE},destination=/home/package" \
+ --mount "type=bind,source=${HOME}/.docker,destination=/home/.docker" \
--mount "type=bind,source=${MOUNT_SOURCE},destination=/work" \
+ --mount "type=bind,source=${MOUNT_ROOT_SOURCE}/..,destination=/parent" \
+ --mount "type=bind,source=${MOUNT_ENVOY_SOURCE},destination=/envoy" \
--mount "type=volume,source=go,destination=/go" \
--mount "type=volume,source=gocache,destination=/gocache" \
--mount "type=volume,source=cache,destination=/home/.cache" \
diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh
index 4a5e80bb..f6174941 100755
--- a/common/scripts/setup_env.sh
+++ b/common/scripts/setup_env.sh
@@ -84,7 +84,8 @@ export TARGET_OUT_LINUX="${TARGET_OUT_LINUX:-$(pwd)/out/linux_${TARGET_ARCH}}"
export CONTAINER_TARGET_OUT="${CONTAINER_TARGET_OUT:-/work/out/${TARGET_OS}_${TARGET_ARCH}}"
export CONTAINER_TARGET_OUT_LINUX="${CONTAINER_TARGET_OUT_LINUX:-/work/out/linux_${TARGET_ARCH}}"
-export IMG="${IMG:-gcr.io/istio-testing/${IMAGE_NAME}:${IMAGE_VERSION}}"
+#export IMG="${IMG:-gcr.io/istio-testing/${IMAGE_NAME}:${IMAGE_VERSION}}"
+export IMG="${IMG:-higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/${IMAGE_NAME}:${IMAGE_VERSION}}"
export CONTAINER_CLI="${CONTAINER_CLI:-docker}"
diff --git a/scripts/release-binary.sh b/scripts/release-binary.sh
index 7059f5c1..8673b982 100755
--- a/scripts/release-binary.sh
+++ b/scripts/release-binary.sh
@@ -19,7 +19,7 @@
set -ex
# Use clang for the release builds.
-export PATH=/usr/lib/llvm-10/bin:$PATH
+export PATH=/usr/lib/llvm/bin:$PATH
export CC=${CC:-clang}
export CXX=${CXX:-clang++}
@@ -98,25 +98,26 @@ fi
# The proxy binary name.
SHA="$(git rev-parse --verify HEAD)"
-if [ -n "${DST}" ]; then
- # If binary already exists skip.
- # Use the name of the last artifact to make sure that everything was uploaded.
- BINARY_NAME="${HOME}/istio-proxy-debug-${SHA}.deb"
- gsutil stat "${DST}/${BINARY_NAME}" \
- && { echo 'Binary already exists'; exit 0; } \
- || echo 'Building a new binary.'
-fi
+# if [ -n "${DST}" ]; then
+# # If binary already exists skip.
+# # Use the name of the last artifact to make sure that everything was uploaded.
+# BINARY_NAME="${HOME}/istio-proxy-debug-${SHA}.deb"
+# gsutil stat "${DST}/${BINARY_NAME}" \
+# && { echo 'Binary already exists'; exit 0; } \
+# || echo 'Building a new binary.'
+# fi
# BAZEL_OUT: Symlinks don't work, use full path as a temporary workaround.
# See: https://github.com/istio/istio/issues/15714 for details.
# k8-opt is the output directory for x86_64 optimized builds (-c opt, so --config=release-symbol and --config=release).
# k8-dbg is the output directory for -c dbg builds.
-for config in release release-symbol debug
+#for config in release release-symbol debug
+for config in release
do
case $config in
"release" )
CONFIG_PARAMS="--config=release"
- BINARY_BASE_NAME="${BASE_BINARY_NAME}-alpha"
+ BINARY_BASE_NAME="${BASE_BINARY_NAME}"
PACKAGE_BASE_NAME="istio-proxy"
# shellcheck disable=SC2086
BAZEL_OUT="$(bazel info ${BAZEL_BUILD_ARGS} output_path)/k8-opt/bin"
@@ -149,7 +150,7 @@ do
export BUILD_CONFIG=${config}
echo "Building ${config} proxy"
- BINARY_NAME="${HOME}/${BINARY_BASE_NAME}-${SHA}.tar.gz"
+ BINARY_NAME="${HOME}/package/${BINARY_BASE_NAME}.tar.gz"
SHA256_NAME="${HOME}/${BINARY_BASE_NAME}-${SHA}.sha256"
# All cores are used by com_googlesource_chromium_v8:build within.
# Prebuild this target to avoid stacking this ram intensive task with others.
@@ -174,14 +175,12 @@ do
echo "Building ${config} docker image"
# shellcheck disable=SC2086
bazel build ${BAZEL_BUILD_ARGS} ${CONFIG_PARAMS} \
- //tools/docker:envoy_distroless \
//tools/docker:envoy_ubuntu
if [ "${PUSH_DOCKER_IMAGE}" -eq 1 ]; then
echo "Pushing ${config} docker image"
# shellcheck disable=SC2086
bazel run ${BAZEL_BUILD_ARGS} ${CONFIG_PARAMS} \
- //tools/docker:push_envoy_distroless \
//tools/docker:push_envoy_ubuntu
fi
@@ -209,36 +208,36 @@ if [ "${BUILD_ENVOY_BINARY_ONLY}" -eq 1 ]; then
fi
# Build and publish Wasm plugins
-extensions=(stats metadata_exchange attributegen)
-TMP_WASM=$(mktemp -d -t wasm-plugins-XXXXXXXXXX)
-trap 'rm -rf ${TMP_WASM}' EXIT
-make build_wasm
-if [ -n "${DST}" ]; then
- for extension in "${extensions[@]}"; do
- # Rename the plugin file and generate sha256 for it
- WASM_NAME="${extension}-${SHA}.wasm"
- WASM_COMPILED_NAME="${extension}-${SHA}.compiled.wasm"
- WASM_PATH="${TMP_WASM}/${WASM_NAME}"
- WASM_COMPILED_PATH="${TMP_WASM}/${WASM_COMPILED_NAME}"
- SHA256_PATH="${WASM_PATH}.sha256"
- SHA256_COMPILED_PATH="${WASM_COMPILED_PATH}.sha256"
- # shellcheck disable=SC2086
- BAZEL_TARGET=$(bazel info ${BAZEL_BUILD_ARGS} output_path)/k8-opt/bin/extensions/${extension}.wasm
- # shellcheck disable=SC2086
- BAZEL_COMPILED_TARGET=$(bazel info ${BAZEL_BUILD_ARGS} output_path)/k8-opt/bin/extensions/${extension}.compiled.wasm
- cp "${BAZEL_TARGET}" "${WASM_PATH}"
- cp "${BAZEL_COMPILED_TARGET}" "${WASM_COMPILED_PATH}"
- sha256sum "${WASM_PATH}" > "${SHA256_PATH}"
- sha256sum "${WASM_COMPILED_PATH}" > "${SHA256_COMPILED_PATH}"
+# extensions=(stats metadata_exchange attributegen)
+# TMP_WASM=$(mktemp -d -t wasm-plugins-XXXXXXXXXX)
+# trap 'rm -rf ${TMP_WASM}' EXIT
+# make build_wasm
+# if [ -n "${DST}" ]; then
+# for extension in "${extensions[@]}"; do
+# # Rename the plugin file and generate sha256 for it
+# WASM_NAME="${extension}-${SHA}.wasm"
+# WASM_COMPILED_NAME="${extension}-${SHA}.compiled.wasm"
+# WASM_PATH="${TMP_WASM}/${WASM_NAME}"
+# WASM_COMPILED_PATH="${TMP_WASM}/${WASM_COMPILED_NAME}"
+# SHA256_PATH="${WASM_PATH}.sha256"
+# SHA256_COMPILED_PATH="${WASM_COMPILED_PATH}.sha256"
+# # shellcheck disable=SC2086
+# BAZEL_TARGET=$(bazel info ${BAZEL_BUILD_ARGS} output_path)/k8-opt/bin/extensions/${extension}.wasm
+# # shellcheck disable=SC2086
+# BAZEL_COMPILED_TARGET=$(bazel info ${BAZEL_BUILD_ARGS} output_path)/k8-opt/bin/extensions/${extension}.compiled.wasm
+# cp "${BAZEL_TARGET}" "${WASM_PATH}"
+# cp "${BAZEL_COMPILED_TARGET}" "${WASM_COMPILED_PATH}"
+# sha256sum "${WASM_PATH}" > "${SHA256_PATH}"
+# sha256sum "${WASM_COMPILED_PATH}" > "${SHA256_COMPILED_PATH}"
- # push wasm files and sha to the given bucket
- gsutil stat "${DST}/${WASM_NAME}" \
- && { echo "WASM file ${WASM_NAME} already exist"; continue; } \
- || echo "Pushing the WASM file ${WASM_NAME}"
- gsutil stat "${DST}/${WASM_COMPILED_NAME}" \
- && { echo "WASM file ${WASM_COMPILED_NAME} already exist"; continue; } \
- || echo "Pushing the WASM file ${WASM_COMPILED_NAME}"
- gsutil cp "${WASM_PATH}" "${SHA256_PATH}" "${DST}"
- gsutil cp "${WASM_COMPILED_PATH}" "${SHA256_COMPILED_PATH}" "${DST}"
- done
-fi
+# # push wasm files and sha to the given bucket
+# gsutil stat "${DST}/${WASM_NAME}" \
+# && { echo "WASM file ${WASM_NAME} already exist"; continue; } \
+# || echo "Pushing the WASM file ${WASM_NAME}"
+# gsutil stat "${DST}/${WASM_COMPILED_NAME}" \
+# && { echo "WASM file ${WASM_COMPILED_NAME} already exist"; continue; } \
+# || echo "Pushing the WASM file ${WASM_COMPILED_NAME}"
+# gsutil cp "${WASM_PATH}" "${SHA256_PATH}" "${DST}"
+# gsutil cp "${WASM_COMPILED_PATH}" "${SHA256_COMPILED_PATH}" "${DST}"
+# done
+# fi
diff --git a/src/envoy/BUILD b/src/envoy/BUILD
index 5f35b0f7..671640cb 100644
--- a/src/envoy/BUILD
+++ b/src/envoy/BUILD
@@ -18,6 +18,15 @@ load("@rules_pkg//:pkg.bzl", "pkg_tar")
load(
"@envoy//bazel:envoy_build_system.bzl",
"envoy_cc_binary",
+ "envoy_cc_contrib_extension",
+ "envoy_cc_library",
+ "envoy_contrib_package",
+)
+load(
+ "@envoy//contrib:all_contrib_extensions.bzl",
+ "ARM64_SKIP_CONTRIB_TARGETS",
+ "PPC_SKIP_CONTRIB_TARGETS",
+ "envoy_all_contrib_extensions",
)
envoy_cc_binary(
@@ -37,6 +46,18 @@ envoy_cc_binary(
"//src/envoy/tcp/sni_verifier:config_lib",
"//src/envoy/tcp/tcp_cluster_rewrite:config_lib",
"@envoy//source/exe:envoy_main_entry_lib",
+ ] + [
+ "@envoy//contrib/custom_cluster_plugins/cluster_fallback/source:config",
+ "@envoy//contrib/http_dubbo_transcoder/filters/http/source:config",
+ "@envoy//contrib/kafka/filters/network/source:kafka_broker_config_lib",
+ "@envoy//contrib/kafka/filters/network/source/mesh:config_lib",
+ "@envoy//contrib/mysql_proxy/filters/network/source:config",
+ "@envoy//contrib/postgres_proxy/filters/network/source:config",
+ "@envoy//contrib/rocketmq_proxy/filters/network/source:config",
+ "@envoy//contrib/sip_proxy/filters/network/source:config",
+ "@envoy//contrib/sip_proxy/filters/network/source/router:config",
+ "@envoy//contrib/squash/filters/http/source:config",
+ "@envoy//contrib/upstreams/http/dubbo_tcp/source:config"
],
)
diff --git a/tools/docker/BUILD b/tools/docker/BUILD
index d5a6e5fd..f949c13f 100644
--- a/tools/docker/BUILD
+++ b/tools/docker/BUILD
@@ -36,7 +36,7 @@ container_push(
name = "push_envoy_distroless",
format = "Docker",
image = ":envoy_distroless",
- registry = "gcr.io",
+ registry = "registry.cn-hangzhou.aliyuncs.com",
repository = "{DOCKER_REPOSITORY}",
tag = "{BUILD_CONFIG}-{BUILD_SCM_REVISION}",
)
@@ -45,7 +45,7 @@ container_push(
name = "push_envoy_ubuntu",
format = "Docker",
image = ":envoy_ubuntu",
- registry = "gcr.io",
+ registry = "registry.cn-hangzhou.aliyuncs.com",
repository = "{DOCKER_REPOSITORY}",
tag = "ubuntu-{BUILD_CONFIG}-{BUILD_SCM_REVISION}",
)

19
istio/1.12/patches/proxy/20230408-build-extensions.patch
View File

@@ -1,19 +0,0 @@
diff -Naur proxy/common/scripts/run.sh proxy-new/common/scripts/run.sh
--- proxy/common/scripts/run.sh 2023-04-08 21:12:05.896147208 +0800
+++ proxy-new/common/scripts/run.sh 2023-04-08 20:33:51.935437889 +0800
@@ -40,6 +40,7 @@
MOUNT_ENVOY_SOURCE="${MOUNT_ENVOY_SOURCE:-`cd $MOUNT_SOURCE/../envoy;pwd`}"
MOUNT_PACKAGE_SOURCE="${MOUNT_PACKAGE_SOURCE:-`cd $MOUNT_SOURCE/../package;pwd`}"
MOUNT_ROOT_SOURCE="${MOUNT_ROOT_SOURCE:-`cd $MOUNT_SOURCE/..;pwd`}"
+MOUNT_PLUGINS_SOURCE="${MOUNT_PLUGINS_SOURCE:-`cd $MOUNT_SOURCE/../../plugins/wasm-cpp;pwd`}"
read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
@@ -64,6 +65,7 @@
--mount "type=bind,source=${MOUNT_SOURCE},destination=/work" \
--mount "type=bind,source=${MOUNT_ROOT_SOURCE}/..,destination=/parent" \
--mount "type=bind,source=${MOUNT_ENVOY_SOURCE},destination=/envoy" \
+ --mount "type=bind,source=${MOUNT_PLUGINS_SOURCE},destination=/wasm-cpp" \
--mount "type=volume,source=go,destination=/go" \
--mount "type=volume,source=gocache,destination=/gocache" \
--mount "type=volume,source=cache,destination=/home/.cache" \

38
istio/1.12/patches/proxy/20240519-v8-upgrade.patch
View File

@@ -1,38 +0,0 @@
diff -Naur proxy/scripts/release-binary.sh proxy-new/scripts/release-binary.sh
--- proxy/scripts/release-binary.sh 2024-05-19 12:33:33.254478650 +0800
+++ proxy-new/scripts/release-binary.sh 2024-05-19 12:31:11.714475870 +0800
@@ -112,7 +112,7 @@
# k8-opt is the output directory for x86_64 optimized builds (-c opt, so --config=release-symbol and --config=release).
# k8-dbg is the output directory for -c dbg builds.
#for config in release release-symbol debug
-for config in release
+for config in release release-symbol
do
case $config in
"release" )
diff -Naur proxy/scripts/release-binary.sh proxy-new/scripts/release-binary.sh
--- proxy/scripts/release-binary.sh 2024-05-19 12:27:51.030471929 +0800
+++ proxy-new/scripts/release-binary.sh 2024-05-19 12:04:55.738444918 +0800
@@ -152,10 +152,6 @@
echo "Building ${config} proxy"
BINARY_NAME="${HOME}/package/${BINARY_BASE_NAME}.tar.gz"
SHA256_NAME="${HOME}/${BINARY_BASE_NAME}-${SHA}.sha256"
- # All cores are used by com_googlesource_chromium_v8:build within.
- # Prebuild this target to avoid stacking this ram intensive task with others.
- # shellcheck disable=SC2086
- bazel build ${BAZEL_BUILD_ARGS} ${CONFIG_PARAMS} @com_googlesource_chromium_v8//:build
# shellcheck disable=SC2086
bazel build ${BAZEL_BUILD_ARGS} ${CONFIG_PARAMS} //src/envoy:envoy_tar
BAZEL_TARGET="${BAZEL_OUT}/src/envoy/envoy_tar.tar.gz"
diff -Naur proxy/tools/deb/test/build_docker.sh proxy-new/tools/deb/test/build_docker.sh
--- proxy/tools/deb/test/build_docker.sh 2024-05-19 12:27:51.030471929 +0800
+++ proxy-new/tools/deb/test/build_docker.sh 2024-05-19 12:05:07.978445159 +0800
@@ -20,8 +20,6 @@
# Script requires a working docker on the test machine
# It is run in the proxy dir, will create a docker image with proxy deb installed
-
-bazel build @com_googlesource_chromium_v8//:build
bazel build tools/deb:istio-proxy
PROJECT="istio-testing"

2
istio/istio

Submodule istio/istio updated: fcc7295d4a...8a08c24210