Istio MCS Generating ServiceExports

[josephpeacock]

This PR accomplishes stage 2 in the Istio MCS RFC

In short, it allows Istio to be configured to create ServiceExport objects for non cluster-local services in an Istio-managed cluster.

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ X ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Pull Request Attributes

Please check any characteristics that apply to this pull request.

[ ] Does not have any changes that may affect Istio users.

[istio-policy-bot]

😊 Welcome @josephpeacock! This is either your first contribution to the Istio istio repo, or it's been
awhile since you've been here.

You can learn more about the Istio working groups, code of conduct, and contributing guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[josephpeacock]

This PR accomplishes #29385 and is dependent upon #29763

[hzxuzhonghu]

From the implement, could not see when the serviceExport will be consumed and by who

[hzxuzhonghu]

Is this in core group, i think it can not be.

[josephpeacock]

I'm a bit unfamiliar with the manifests, could you recommend a more appropriate place?

[hzxuzhonghu]

no get list needed?

[howardjohn]

and watch, probably update and patch will be needed as well?

[josephpeacock]

This PR only needs create/delete on serviceexports. The eventual PR to consume them will likely need the ability to watch, but I want to add the minimal set of permissions necessary for this functionality.

[hzxuzhonghu]

what is this for, concerned about the peformance

[hzxuzhonghu]

Who will consume the ServiceExports created here

[josephpeacock]

The short answer is anyone will be able to. I'm working in parallel with @nmittler on the implementation of the Istio MCS RFC. I took "phase 2", and there is another issue open for "phase 1" (#29384)

The consumption of ServiceExports is out of scope for this PR.

[hzxuzhonghu]

It is not clear how this works from the RFC, should wait for the draft implement.

As i read through the mcs-api desgin, it is not clear to me how this can solve multicluster topology issue.

Can you elaborate on how the EndpointSlice create is used? https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#importing-services

[nmittler]

@hzxuzhonghu

The basic MCS flow is:

1. Something generates a ServiceExport for a service in a cluster
2. The MCS controller (Istio?) sees the ServiceExport and creates ServiceImport and EndpointSlices in all of the other clusters in the clusterset (i.e. mesh).
3. In the other clusters, the ServiceImport and EndpointSlices are used by K8s to program kube proxy to allow service calls to span clusters.

What this PR is attempting to accomplish is 1. This simply creates the ServiceExport resource ... it does nothing with EndpointSlices. This will have no real impact on the system if there is no MCS controller performing the ServiceImport.

[howardjohn]

I don't really understand why Istio is responsible for this. I presume MCSD will have multiple implementors, otherwise its not really useful. Will linkerd, consul, etc all be sending similar PRs, writing the same exact implementation of the same thing in 3 slightly different ways?

I would have expected the MCSD repo to have a controller, which is either deployed standalone, or maybe, once its past experimental, linked into Istiod as a library to reduce the deployment complexity.

I am a bit concerned that every project is going to implement the same controller slightly different and we will not actually have a consistent API like was desired.

[howardjohn]

and watch, probably update and patch will be needed as well?

[howardjohn]

nit: there is no need for this to be a pointer as far as I know

[howardjohn]

I am concerned about the API here. Why are we mixing an Istio API ("cluster local") with the MCSD api? Isn't the goal of MCSD that we are just another implementor?

[josephpeacock]

Isn't the goal of MCSD that we are just another implementor?

Yes, but one implementation detail that we get to determine is which services are exported (the API intentionally leaves that up to whatever entity is generating serviceExports). So we're piggybacking off of this Istio API with the assumption that cluster local hosts should not be exported for MCS.

[howardjohn]

nit: use errors.IsAlreadyExists

[howardjohn]

what if the contents are wrong?

[josephpeacock]

For this implementation, we are making the intentional choice that we don't care, and don't support cases in which some other entity (either human or 3rd party MCS controller) modifies a ServiceExport. So if it exists, we stop processing (to minimize cases where the other entity overwrite may be desired behavior).

[howardjohn]

Calling .List() is not acceptable for performance, we should be using the informer cache. Direct API calls like this have bit us many times in the past

[josephpeacock]

@howardjohn @hzxuzhonghu Maybe this is something we should discuss at the next Environments working group meeting? I was under the impression that the approved RFC represented an agreement that we were going to build the specified functionality into Istio. In meeting with @nmittler, we decided that phases one and two from that document could be done in parallel, and that I would put together a PR encompassing only stage two.

I'm happy to shelve or permanently close this PR if it's agreed that building MCS functionality into Istio is the wrong direction for the project. You both had some very good specific feedback in the code as well, and I appreciate the prompt review. But I'd like for us to agree on the big picture direction before I spend more time rebasing and/or updating this PR.

[howardjohn]

To clarify a bit. I am not *against* this, I am just not sure it's the right thing to do without more info (answers to questions above about the wider ecosystem). The RFC is a bit light on the details. Discussion in env WG (or this PR) SGTM! Thanks for working on this

…

On Mon, Jan 4, 2021 at 8:14 AM josephpeacock ***@***.***> wrote: @howardjohn <https://github.com/howardjohn> @hzxuzhonghu <https://github.com/hzxuzhonghu> Maybe this is something we should discuss at the next Environments working group meeting? I was under the impression that the approved RFC <https://docs.google.com/document/d/1K8hvQ83UcJ9a7U8oqXIefwr6pFJn-VBEi40Ak-fwQtk/edit#heading=h.xw1gqgyqs5b> represented an agreement that we were going to build the specified functionality into Istio. In meeting with @nmittler <https://github.com/nmittler>, we decided that phases one and two from that document could be done in parallel, and that I would put together a PR encompassing only stage two. I'm happy to shelve or permanently close this PR if it's agreed that building MCS functionality into Istio is the wrong direction for the project. You both had some very good specific feedback in the code as well, and I appreciate the prompt review. But I'd like for us to agree on the big picture direction before I spend more time rebasing and/or updating this PR. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#29763 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEYGXM5F5DUYPPLCJH24FTSYHSNPANCNFSM4VHOXF5Q> .

[josephpeacock]

Fair enough, let me answer the questions that I feel that I can speak to:

I don't really understand why Istio is responsible for this. I presume MCSD will have multiple implementors, otherwise its not really useful. Will linkerd, consul, etc all be sending similar PRs, writing the same exact implementation of the same thing in 3 slightly different ways?

I think this is the intention of the k8s spec. They explicitly say in their document that anything should be able to be an MCS controller:

mcs-controller - A controller that syncs services across clusters and makes them available for multi-cluster service discovery and connectivity. There may be multiple implementations, this doc describes expected common behavior. The controller may be a single controller, multiple decentralized controllers, or a human using kubectl to create resources. This document aims to support any implementation that fulfills the behavioral expectations of this API.

In this case, I'd argue it's a question of value-add. Do we see value in building out MCS controller functionality in Istio? (with the alternative being having users need to use another MCS controller in tandem with Istio if they want that functionality). And I do think being able to use service names to route across multiple clusters would really simplify some multicluster Istio installations.

I would have expected the MCSD repo to have a controller, which is either deployed standalone, or maybe, once its past experimental, linked into Istiod as a library to reduce the deployment complexity.

The only official k8s MCS repo that I know of at the moment is for the MCS API. I don't know if there is a plan for an official k8s MCS controller, or if they are intending to leave it entirely up to the community.

I am a bit concerned that every project is going to implement the same controller slightly different and we will not actually have a consistent API like was desired.

You're probably right that there may be opportunities for a wider conversation about how specific the API is and should be moving forward on the k8s side. But I'm not sure if that's relevant to Istio's implementation, unless we want to wait to implement until the spec is more well-defined.

[nmittler]

Doesn't this duplicate the configuration in MeshConfig?

[nmittler]

Can't meshconfig be updated?

[nmittler]

We do this elsewhere ... can we use a common function?

[nmittler]

Can we move this function to the context?

[josephpeacock]

I'm not sure what you mean by this, can you clarify?

[nmittler]

The context is where you're getting information regarding cluster-local services. Could it just expose this method instead of defining it here?

[nmittler]

Is there a standard error here, similar to errors.IsAlreadyExists?

[josephpeacock]

Ready for re-review.

[rcernich]

Do you want to add an owner reference to this? This would also eliminate the need for handling deletions.

[josephpeacock]

That is actually something that is explicitly called out by the K8s MCS Spec, and was decided against. Instead, they chose to rely entirely on the name mapping. I tried to make this implementation match the spec as closely as possible.

[istio-testing]

@josephpeacock: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
integ-pilot-multicluster-tests_istio	e8a4426	link	/test integ-pilot-multicluster-tests_istio

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[nmittler]

@josephpeacock thanks for all the help. I'm taking this over in #31401. Shall we just close this one out?

[josephpeacock]

Yup, let's do that. Thanks for taking this over!