Support clusterLocal host exclusions for multi-cluster (istio#52367) (i…

…stio#53443) * Support clusterLocal exclusions * Support clusterLocal exclusions * Support clusterLocal exclusions - fix release * Add explicit clusterLocal: false if not found * Add additional test cases --------- Signed-off-by: clarkjohnd <[email protected]>
tetratelabs · Oct 18, 2024 · 802f289 · 802f289
1 parent 5851980
commit 802f289
Show file tree

Hide file tree

Showing 3 changed files with 153 additions and 23 deletions.
diff --git a/pilot/pkg/model/cluster_local.go b/pilot/pkg/model/cluster_local.go
@@ -19,26 +19,29 @@ import (
 	"sync"
 
 	"istio.io/istio/pkg/config/host"
-	"istio.io/istio/pkg/util/sets"
 )
 
 var (
 	defaultClusterLocalNamespaces = []string{"kube-system"}
 	defaultClusterLocalServices   = []string{"kubernetes.default.svc"}
 )
 
-// ClusterLocalHosts is a map of host names or wildcard patterns which should only
-// be made accessible from within the same cluster.
+// ClusterLocalHosts is a map of host names or wildcard patterns which indicate
+// whether a host be made accessible from within the same cluster or not.
 type ClusterLocalHosts struct {
-	specific sets.Set[host.Name]
-	wildcard sets.Set[host.Name]
+	specific map[host.Name]bool
+	wildcard map[host.Name]bool
 }
 
 // IsClusterLocal indicates whether the given host should be treated as a
 // cluster-local destination.
 func (c ClusterLocalHosts) IsClusterLocal(h host.Name) bool {
-	_, _, ok := MostSpecificHostMatch(h, c.specific, c.wildcard)
-	return ok
+	_, local, ok := MostSpecificHostMatch(h, c.specific, c.wildcard)
+	// Explicitly set clusterLocal to false if host is not found in clusterLocal settings
+	if !ok {
+		local = false
+	}
+	return local
 }
 
 // ClusterLocalProvider provides the cluster-local hosts.
@@ -98,22 +101,15 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) {
 
 	// Collect the cluster-local hosts.
 	hosts := ClusterLocalHosts{
-		specific: make(map[host.Name]struct{}, 0),
-		wildcard: make(map[host.Name]struct{}, 0),
+		specific: make(map[host.Name]bool),
+		wildcard: make(map[host.Name]bool),
 	}
+
 	for _, serviceSettings := range e.Mesh().ServiceSettings {
-		if serviceSettings.GetSettings().GetClusterLocal() {
-			for _, h := range serviceSettings.GetHosts() {
-				hostname := host.Name(h)
-				if hostname.IsWildCarded() {
-					hosts.wildcard.Insert(hostname)
-				} else {
-					hosts.specific.Insert(hostname)
-				}
-			}
-		} else {
-			// Remove defaults if specified to be non-cluster-local.
-			for _, h := range serviceSettings.GetHosts() {
+		isClusterLocal := serviceSettings.GetSettings().GetClusterLocal()
+		for _, h := range serviceSettings.GetHosts() {
+			// If clusterLocal false, check to see if we should remove a default clusterLocal host.
+			if !isClusterLocal {
 				for i, defaultClusterLocalHost := range defaultClusterLocalHosts {
 					if len(defaultClusterLocalHost) > 0 {
 						if h == string(defaultClusterLocalHost) ||
@@ -126,15 +122,25 @@ func (c *clusterLocalProvider) onMeshUpdated(e *Environment) {
 				}
 			}
 		}
+
+		// Add hosts with their clusterLocal setting to sets.
+		for _, h := range serviceSettings.GetHosts() {
+			hostname := host.Name(h)
+			if hostname.IsWildCarded() {
+				hosts.wildcard[hostname] = isClusterLocal
+			} else {
+				hosts.specific[hostname] = isClusterLocal
+			}
+		}
 	}
 
 	// Add any remaining defaults to the end of the list.
 	for _, defaultClusterLocalHost := range defaultClusterLocalHosts {
 		if len(defaultClusterLocalHost) > 0 {
 			if defaultClusterLocalHost.IsWildCarded() {
-				hosts.wildcard.Insert(defaultClusterLocalHost)
+				hosts.wildcard[defaultClusterLocalHost] = true
 			} else {
-				hosts.specific.Insert(defaultClusterLocalHost)
+				hosts.specific[defaultClusterLocalHost] = true
 			}
 		}
 	}

diff --git a/pilot/pkg/model/cluster_local_test.go b/pilot/pkg/model/cluster_local_test.go
@@ -142,6 +142,123 @@ func TestIsClusterLocal(t *testing.T) {
 			host:     "s.ns3.svc.cluster.local",
 			expected: false,
 		},
+		{
+			name: "global",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+				},
+			},
+			host:     "s.ns1.svc.cluster.local",
+			expected: true,
+		},
+		{
+			name: "global with exclusion wildcard",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: false,
+						},
+						Hosts: []string{
+							"*.ns1.svc.cluster.local",
+						},
+					},
+				},
+			},
+			host:     "s.ns1.svc.cluster.local",
+			expected: false,
+		},
+		{
+			name: "global with exclusion specific",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: false,
+						},
+						Hosts: []string{
+							"service.ns1.svc.cluster.local",
+						},
+					},
+				},
+			},
+			host:     "service.ns1.svc.cluster.local",
+			expected: false,
+		},
+		{
+			name: "subdomain local with global",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*.cluster.local",
+						},
+					},
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: false,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+				},
+			},
+			host:     "echo.test.svc.cluster.local",
+			expected: true,
+		},
+		{
+			name: "other domain non-local global",
+			m: &meshconfig.MeshConfig{
+				ServiceSettings: []*meshconfig.MeshConfig_ServiceSettings{
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: true,
+						},
+						Hosts: []string{
+							"*.cluster.local",
+						},
+					},
+					{
+						Settings: &meshconfig.MeshConfig_ServiceSettings_Settings{
+							ClusterLocal: false,
+						},
+						Hosts: []string{
+							"*",
+						},
+					},
+				},
+			},
+			host:     "otherdomain",
+			expected: false,
+		},
 	}
 
 	for _, c := range cases {

diff --git a/releasenotes/notes/52367.yaml b/releasenotes/notes/52367.yaml
@@ -0,0 +1,7 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+issue: []
+releaseNotes:
+- |
+  **Fixed** Support clusterLocal host exclusions for multi-cluster.