fix istioctl analyze vs error when a custom cluster domain #51064
Conversation
istio-policy-bot
added
area/user experience
release-notes-none
istio-testing
added
the
size/M
| @@ -61,6 +62,17 @@ func InitServiceEntryHostMap(ctx analysis.Context) map[ScopedFqdn]*v1alpha3.Serv | |||
| return true | |||
| }) | |||
|
|
|||
| // use meshConfig.trustDomain changed the default domain | |||
| // todo: replace by `values.global.proxy.clusterDomain` | |||
| ctx.ForEach(gvk.MeshConfig, func(r *resource.Instance) bool { | |||
There was a problem hiding this comment.
can we get MeshConfig with this function? I am not sure, MeshConig is from configmap
There was a problem hiding this comment.
Yes, the configmap was saved in cache as MeshConfig for analysis during initialization.
| @@ -43,7 +43,9 @@ func (ctx *Context) Exists(config.GroupVersionKind, resource.FullName) bool { re | |||
| // ForEach implements analysis.Context | |||
| func (ctx *Context) ForEach(_ config.GroupVersionKind, fn analysis.IteratorFn) { | |||
| for _, r := range ctx.Resources { | |||
| fn(r) | |||
| if !fn(r) { | |||
There was a problem hiding this comment.
+1 to @hanxiaop question
There was a problem hiding this comment.
I want to end the loop when the loop gets meshconfig, so added here
| var configClusterLocalDomain string | ||
|
|
||
| func SetConfigClusterLocalDomain(domain string) { | ||
| configClusterLocalDomain = "svc." + domain |
There was a problem hiding this comment.
Using globals like this is not safe or acceptable, this will cause data races. note this package is used in long running servers, not just the CLI
There was a problem hiding this comment.
ok, that's indeed a problem, I'll find a new methods.
| meshConfig := r.Message.(*meshconfig.MeshConfig) | ||
| if meshConfig.GetTrustDomain() != "" { | ||
| SetConfigClusterLocalDomain(meshConfig.GetTrustDomain()) | ||
| return false |
There was a problem hiding this comment.
I think the following questions are related to @hanxiaop question below about !fn(r).
- Why do we return false when GetTrustDomain() is not empty? Is the goal to stop iterating once we get the trust domain?, hence:
if !fn(r) {
break
}
as seen in the ctx.ForEach(...) function update you added.
There was a problem hiding this comment.
Yeah 😄
I think we need a break here and then add a loop break for the ForEach func.
|
|
||
| var configClusterLocalDomain string | ||
|
|
||
| func SetConfigClusterLocalDomain(domain string) { |
There was a problem hiding this comment.
Apologies for my ignorance here but can you explain the reason behind checking for a non-empty Trust Domain(as returned via GetTrustDomain()) and setting Config Cluster Local Domain to that value?
There was a problem hiding this comment.
backgraound:
This issue originates from #33174, where the user customized the k8s cluster domain and used several related Istio configurations.
meshConfig.trustDomain
values.global.trustDomain
values.global.proxy.clusterDomain
However, when using istioctl analyze, it consistently shows the error service-name.namespace.svc.customDnsDomain IST0101 Error (Referenced host not found).
There was a problem hiding this comment.
why use trusDomain?
Actually, the up configuration keys, values.global.proxy.clusterDomain aligns better semantically.
and then it only used in the sidecar template and is not get value through any runtime configuration. Implementing this would be a complexity task.
so, considering the user scenario(when user need changed cluster domain), they generally configure these parameters simultaneously. As a result, trustDomain can get from meshConfig, and can be used as a reference value.
| @@ -61,6 +62,17 @@ func InitServiceEntryHostMap(ctx analysis.Context) map[ScopedFqdn]*v1alpha3.Serv | |||
| return true | |||
| }) | |||
|
|
|||
| // use meshConfig.trustDomain changed the default domain | |||
| // todo: replace by `values.global.proxy.clusterDomain` | |||
There was a problem hiding this comment.
What exactly is the todo? Also, does not doing that work now effect the resolution of the issue in any way?
There was a problem hiding this comment.
Based on the description above( why use ** trusDomain** ??), I believe the current solution is only a preliminary workaround. A more optimal solution is needed and requires further discussion.
And I'm not sure how the community plans and designs this aspect, and whether there's a need for unification. Additionally, I think it would be helpful to include some usage documentation, as many people might encounter the same issue.
There was a problem hiding this comment.
From a bug fix perspective, trustDomain can already resolved the user's issue.
However, I want to implement a more standardized and user-friendly solution. Therefore, I'll add a TODO to drive this improvement forward.
| @@ -43,7 +43,9 @@ func (ctx *Context) Exists(config.GroupVersionKind, resource.FullName) bool { re | |||
| // ForEach implements analysis.Context | |||
| func (ctx *Context) ForEach(_ config.GroupVersionKind, fn analysis.IteratorFn) { | |||
| for _, r := range ctx.Resources { | |||
| fn(r) | |||
| if !fn(r) { | |||
There was a problem hiding this comment.
+1 to @hanxiaop question
istio-testing
added
size/L
zirain
changed the title
nicole-lihui
requested review from
MorrisLaw,
hanxiaop,
hzxuzhonghu and
howardjohn
| "istio.io/api/networking/v1alpha3" | ||
| "istio.io/istio/pkg/config/analysis" | ||
| "istio.io/istio/pkg/config/resource" | ||
| "istio.io/istio/pkg/config/schema/gvk" | ||
| ) | ||
|
|
||
| func GetCustomClusterDomain(ctx analysis.Context) string { | ||
| cusClusterDomain := "" | ||
| // use meshConfig.trustDomain changed the default domain |
There was a problem hiding this comment.
trustDomain and cluster domain are 100% orthogonal to each other. There is absolutely no relationship at all (beyond the same default) and they should not be used interchange-ably like this
There was a problem hiding this comment.
Let me try to find a better solution 🤔
resolved #33174
Please provide a description of this PR: