proxy: slim Istio agent dependencies (#50212)

* decouple agent Change-Id: Ib8ca017c2b86b84c9bff9b818ef6fa531e5e46a8 Signed-off-by: Kuat Yessenov <[email protected]> * proxy: slim istio agent Change-Id: Iff0c64bb7b806734be402f95129bf788d332525a Signed-off-by: Kuat Yessenov <[email protected]> * undo minor change Change-Id: Ia3ab68417f892843e948e6e91f2730568e54e4d0 Signed-off-by: Kuat Yessenov <[email protected]> * missing proto Change-Id: I3377a1783b813d50032fe1df9fe8e40f4843ea41 Signed-off-by: Kuat Yessenov <[email protected]> --------- Signed-off-by: Kuat Yessenov <[email protected]>
istio · Apr 4, 2024 · 903ba1a · 903ba1a
1 parent d242b37
commit 903ba1a
Show file tree

Hide file tree

Showing 11 changed files with 225 additions and 150 deletions.
diff --git a/Makefile.core.mk b/Makefile.core.mk
@@ -295,6 +295,7 @@ lint: lint-python lint-copyright-banner lint-scripts lint-go lint-dockerfiles li
 # (k8s) Machinery, utils, klog
 # (proto) TLS for SDS
 # (proto) Wasm for wasm xDS proxy
+# (proto) xDS discovery service for xDS proxy
 .PHONY: check-agent-deps
 check-agent-deps:
  @go list -f '{{ join .Deps "\n" }}' -tags=agent \
@@ -306,14 +307,11 @@ check-agent-deps:
  ./pilot/cmd/pilot-agent/status/ready \
  ./pilot/cmd/pilot-agent/status/grpcready \
  ./pilot/cmd/pilot-agent/config \
- ./pkg/dns/client/... \
- ./pkg/security/... \
- ./pkg/bootstrap/... \
- ./pkg/wasm/... \
- ./pkg/envoy/... | sort | uniq |\
+ ./pkg/istio-agent/... | sort | uniq |\
  grep -Pv '^k8s.io/(utils|klog|apimachinery)/' |\
  grep -Pv 'envoy/type/|envoy/annotations|envoy/config/core/' |\
  grep -Pv 'envoy/extensions/transport_sockets/tls/' |\
+ grep -Pv 'envoy/service/discovery/v3' |\
  grep -Pv 'envoy/extensions/wasm/' |\
  grep -Pv 'envoy/extensions/filters/(http|network)/wasm/' |\
  (! grep -P '^k8s.io|^sigs.k8s.io/gateway-api|cel|antlr|envoy/')

diff --git a/istioctl/pkg/writer/compare/listener.go b/istioctl/pkg/writer/compare/listener.go
@@ -20,6 +20,8 @@ import (
 
  "github.com/pmezard/go-difflib/difflib"
 
+ // Force import protos
+ _ "istio.io/istio/pilot/pkg/xds/filters"
  "istio.io/istio/pkg/util/protomarshal"
 )
 

diff --git a/pilot/cmd/pilot-agent/options/agent.go b/pilot/cmd/pilot-agent/options/agent.go
@@ -24,8 +24,10 @@ import (
  "istio.io/istio/pilot/pkg/model"
  "istio.io/istio/pkg/bootstrap/platform"
  istioagent "istio.io/istio/pkg/istio-agent"
+ "istio.io/istio/pkg/security"
  "istio.io/istio/pkg/util/sets"
  "istio.io/istio/pkg/wasm"
+ "istio.io/istio/security/pkg/nodeagent/sds"
 )
 
 // Similar with ISTIO_META_, which is used to customize the node metadata - this customizes extra header.
@@ -71,6 +73,9 @@ func NewAgentOptions(proxy *model.Proxy, cfg *meshconfig.ProxyConfig) *istioagen
  DualStack: features.EnableDualStack,
  UseExternalWorkloadSDS: useExternalWorkloadSDSEnv,
  MetadataDiscovery: enableWDSEnv,
+ SDSFactory: func(options *security.Options, workloadSecretCache security.SecretManager, pkpConf *meshconfig.PrivateKeyProvider) istioagent.SDSService {
+ return sds.NewServer(options, workloadSecretCache, pkpConf)
+ },
  }
  extractXDSHeadersFromEnv(o)
  return o

diff --git a/pilot/pkg/xds/v3/model.go b/pilot/pkg/xds/v3/model.go
@@ -15,123 +15,45 @@
 package v3
 
 import (
- "strings"
-
- resource "github.com/envoyproxy/go-control-plane/pkg/resource/v3"
+ "istio.io/istio/pkg/model"
 )
 
 const (
- envoyTypePrefix = resource.APITypePrefix + "envoy."
-
- ClusterType = resource.ClusterType
- EndpointType = resource.EndpointType
- ListenerType = resource.ListenerType
- RouteType = resource.RouteType
- SecretType = resource.SecretType
- ExtensionConfigurationType = resource.ExtensionConfigType
-
- NameTableType = resource.APITypePrefix + "istio.networking.nds.v1.NameTable"
- HealthInfoType = resource.APITypePrefix + "istio.v1.HealthInformation"
- ProxyConfigType = resource.APITypePrefix + "istio.mesh.v1alpha1.ProxyConfig"
- // DebugType requests debug info from istio, a secured implementation for istio debug interface.
- DebugType = "istio.io/debug"
- BootstrapType = resource.APITypePrefix + "envoy.config.bootstrap.v3.Bootstrap"
- AddressType = resource.APITypePrefix + "istio.workload.Address"
- WorkloadType = resource.APITypePrefix + "istio.workload.Workload"
- WorkloadAuthorizationType = resource.APITypePrefix + "istio.security.Authorization"
+ ClusterType = model.ClusterType
+ EndpointType = model.EndpointType
+ ListenerType = model.ListenerType
+ RouteType = model.RouteType
+ SecretType = model.SecretType
+ ExtensionConfigurationType = model.ExtensionConfigurationType
+ NameTableType = model.NameTableType
+ HealthInfoType = model.HealthInfoType
+ ProxyConfigType = model.ProxyConfigType
+ DebugType = model.DebugType
+ BootstrapType = model.BootstrapType
+ AddressType = model.AddressType
+ WorkloadType = model.WorkloadType
+ WorkloadAuthorizationType = model.WorkloadAuthorizationType
 
  // nolint
  HttpProtocolOptionsType = "envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
 )
 
 // GetShortType returns an abbreviated form of a type, useful for logging or human friendly messages
 func GetShortType(typeURL string) string {
- switch typeURL {
- case ClusterType:
- return "CDS"
- case ListenerType:
- return "LDS"
- case RouteType:
- return "RDS"
- case EndpointType:
- return "EDS"
- case SecretType:
- return "SDS"
- case NameTableType:
- return "NDS"
- case ProxyConfigType:
- return "PCDS"
- case ExtensionConfigurationType:
- return "ECDS"
- case AddressType, WorkloadType:
- return "WDS"
- case WorkloadAuthorizationType:
- return "WADS"
- default:
- return typeURL
- }
+ return model.GetShortType(typeURL)
 }
 
 // GetMetricType returns the form of a type reported for metrics
 func GetMetricType(typeURL string) string {
- switch typeURL {
- case ClusterType:
- return "cds"
- case ListenerType:
- return "lds"
- case RouteType:
- return "rds"
- case EndpointType:
- return "eds"
- case SecretType:
- return "sds"
- case NameTableType:
- return "nds"
- case ProxyConfigType:
- return "pcds"
- case ExtensionConfigurationType:
- return "ecds"
- case BootstrapType:
- return "bds"
- case AddressType, WorkloadType:
- return "wds"
- case WorkloadAuthorizationType:
- return "wads"
- default:
- return typeURL
- }
+ return model.GetMetricType(typeURL)
 }
 
 // GetResourceType returns resource form of an abbreviated form
 func GetResourceType(shortType string) string {
- s := strings.ToUpper(shortType)
- switch s {
- case "CDS":
- return ClusterType
- case "LDS":
- return ListenerType
- case "RDS":
- return RouteType
- case "EDS":
- return EndpointType
- case "SDS":
- return SecretType
- case "NDS":
- return NameTableType
- case "PCDS":
- return ProxyConfigType
- case "ECDS":
- return ExtensionConfigurationType
- case "WDS":
- return AddressType
- case "WADS":
- return WorkloadAuthorizationType
- default:
- return shortType
- }
+ return model.GetResourceType(shortType)
 }
 
 // IsEnvoyType checks whether the typeURL is a valid Envoy type.
 func IsEnvoyType(typeURL string) bool {
- return strings.HasPrefix(typeURL, envoyTypePrefix)
+ return model.IsEnvoyType(typeURL)
 }
diff --git a/pkg/istio-agent/agent.go b/pkg/istio-agent/agent.go
@@ -36,7 +36,6 @@ import (
  mesh "istio.io/api/mesh/v1alpha1"
  "istio.io/istio/pilot/cmd/pilot-agent/config"
  "istio.io/istio/pilot/cmd/pilot-agent/status/ready"
- "istio.io/istio/pilot/pkg/model"
  "istio.io/istio/pkg/backoff"
  "istio.io/istio/pkg/bootstrap"
  "istio.io/istio/pkg/bootstrap/platform"
@@ -48,15 +47,14 @@ import (
  "istio.io/istio/pkg/filewatcher"
  "istio.io/istio/pkg/istio-agent/grpcxds"
  "istio.io/istio/pkg/log"
- sec_model "istio.io/istio/pkg/model"
+ "istio.io/istio/pkg/model"
  "istio.io/istio/pkg/security"
  "istio.io/istio/pkg/wasm"
  "istio.io/istio/security/pkg/nodeagent/cache"
  "istio.io/istio/security/pkg/nodeagent/caclient"
  citadel "istio.io/istio/security/pkg/nodeagent/caclient/providers/citadel"
  gca "istio.io/istio/security/pkg/nodeagent/caclient/providers/google"
  cas "istio.io/istio/security/pkg/nodeagent/caclient/providers/google-cas"
- "istio.io/istio/security/pkg/nodeagent/sds"
 )
 
 const (
@@ -90,6 +88,11 @@ const (
  ExitLifecycleEvent LifecycleEvent = "exit"
 )
 
+type SDSService interface {
+ OnSecretUpdate(resourceName string)
+ Stop()
+}
+
 // Agent contains the configuration of the agent, based on the injected
 // environment:
 // - SDS hostPath if node-agent was used
@@ -105,7 +108,7 @@ type Agent struct {
 
  envoyAgent *envoy.Agent
 
- sdsServer *sds.Server
+ sdsServer SDSService
  secretCache *cache.SecretManagerClient
 
  // Used when proxying envoy xds via istio-agent is enabled.
@@ -201,6 +204,8 @@ type AgentOptions struct {
 
  // Enable metadata discovery bootstrap extension
  MetadataDiscovery bool
+
+ SDSFactory func(options *security.Options, workloadSecretCache security.SecretManager, pkpConf *mesh.PrivateKeyProvider) SDSService
 }
 
 // NewAgent hosts the functionality for local SDS and XDS. This consists of the local SDS server and
@@ -420,7 +425,7 @@ func (a *Agent) initSdsServer() error {
  }()
  } else {
  pkpConf := a.proxyConfig.GetPrivateKeyProvider()
- a.sdsServer = sds.NewServer(a.secOpts, a.secretCache, pkpConf)
+ a.sdsServer = a.cfg.SDSFactory(a.secOpts, a.secretCache, pkpConf)
  a.secretCache.RegisterSecretHandler(a.sdsServer.OnSecretUpdate)
  }
 
@@ -772,7 +777,7 @@ func (a *Agent) newSecretManager() (*cache.SecretManagerClient, error) {
  } else if a.secOpts.CAProviderName == security.GoogleCASProvider {
  // Use a plugin
  tlsConfig := &tls.Config{MinVersion: tls.VersionTLS12}
- sec_model.EnforceGoCompliance(tlsConfig)
+ model.EnforceGoCompliance(tlsConfig)
  caClient, err := cas.NewGoogleCASClient(a.secOpts.CAEndpoint,
  option.WithGRPCDialOption(grpc.WithPerRPCCredentials(caclient.NewCATokenProvider(a.secOpts))),
  option.WithGRPCDialOption(grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))))

diff --git a/pkg/istio-agent/agent_test.go b/pkg/istio-agent/agent_test.go
@@ -659,6 +659,9 @@ func Setup(t *testing.T, opts ...func(a AgentTest) AgentTest) *AgentTest {
  XDSRootCerts: rootCert,
  XdsUdsPath: filepath.Join(d, "XDS"),
  ServiceNode: proxy.ServiceNode(),
+ SDSFactory: func(options *security.Options, workloadSecretCache security.SecretManager, pkpConf *meshconfig.PrivateKeyProvider) SDSService {
+ return sds.NewServer(options, workloadSecretCache, pkpConf)
+ },
  }
 
  // Set-up envoy defaults

diff --git a/pkg/istio-agent/tap_proxy.go b/pkg/istio-agent/tap_proxy.go
@@ -24,7 +24,6 @@ import (
  "google.golang.org/grpc/reflection"
 
  istiogrpc "istio.io/istio/pilot/pkg/grpc"
- "istio.io/istio/pilot/pkg/xds"
  istiokeepalive "istio.io/istio/pkg/keepalive"
  "istio.io/istio/pkg/log"
 )
@@ -43,14 +42,18 @@ func NewTapGrpcHandler(xdsProxy *XdsProxy) (*grpc.Server, error) {
  return grpcs, nil
 }
 
-func (p *tapProxy) StreamAggregatedResources(downstream xds.DiscoveryStream) error {
+const (
+ TypeDebugPrefix = "istio.io/debug/"
+)
+
+func (p *tapProxy) StreamAggregatedResources(downstream DiscoveryStream) error {
  timeout := time.Second * 15
  req, err := downstream.Recv()
  if err != nil {
  log.Errorf("failed to recv: %v", err)
  return err
  }
- if strings.HasPrefix(req.TypeUrl, xds.TypeDebugPrefix) {
+ if strings.HasPrefix(req.TypeUrl, TypeDebugPrefix) {
  if resp, err := p.xdsProxy.tapRequest(req, timeout); err == nil {
  err := downstream.Send(resp)
  if err != nil {
@@ -65,6 +68,6 @@ func (p *tapProxy) StreamAggregatedResources(downstream xds.DiscoveryStream) err
  return nil
 }
 
-func (p *tapProxy) DeltaAggregatedResources(downstream xds.DeltaDiscoveryStream) error {
+func (p *tapProxy) DeltaAggregatedResources(downstream DeltaDiscoveryStream) error {
  return fmt.Errorf("not implemented")
 }