Followup on EDS (istio#4036)

Automatic merge from submit-queue.

Followup on EDS

- reduce logging (use env variable until someone finds out how to configure modules in the new logger)
- add a fail-safe env variable, in case we need to turn it off. Needs to be set in the injector template if needed.
- add the TLS option for grpc port (first attempt - will replace with proper grpc listener in followup). 
Shriram: yes, I still agree we should load the certs in pilot, but can be done later.
- starting to add some structs for debug and push - in progress, will keep adding while the rest is reviewed. Main question is how to name the clients for the debug - based on POD ID (IP) and watched resource, pod name and resource, or  group by remote pod. A http handler listing all connected endpoints and the watched resources in followup.
- finish the move of all eds-related functions to eds.go (from mesh_discovery)

Also this changes the 2 'istio-on-istio' pilot configs to v2.

.circleci/config.yml

@@ -252,6 +252,7 @@ jobs:
             - TEST_ENV: minikube-none
             - HUB: docker.io/dnerepo
             - TAG: dontpush
+            - SKIP_EGRESS: 1
     steps:
       - type: shell
         name: Initialize Working Directory
@@ -275,7 +276,11 @@ jobs:
       - run: bin/testEnvRootMinikube.sh wait
       - run: docker images
       - run: make test/minikube/auth/e2e_pilot HUB="${HUB}" TAG="${TAG}"
-      - run: make test/minikube/auth/e2e_pilot_alpha1 HUB="${HUB}" TAG="${TAG}"
+      - run:
+          name: alpha1
+          when: always
+          command: |
+            make test/minikube/auth/e2e_pilot_alpha1 HUB="${HUB}" TAG="${TAG}"
       - run:
           name: dumpsys
           when: always
@@ -296,6 +301,57 @@ jobs:
       - store_test_results:
           path: /go/out/tests
 
+  # Until alpha1 is deprecated
+  e2e-pilot-auth-egress:
+    <<: *integrationDefaults
+    environment:
+            - GOPATH: /go
+            - KUBECONFIG: /go/out/minikube.conf
+            - TEST_ENV: minikube-none
+            - HUB: docker.io/dnerepo
+            - TAG: dontpush
+    steps:
+      - type: shell
+        name: Initialize Working Directory
+        pwd: /
+        command: |
+          sudo mkdir -p /go/src/istio.io/istio
+          sudo chown -R circleci /go
+          mkdir -p /home/circleci/logs
+      - checkout
+      - run: make submodule-sync
+      - attach_workspace:
+          at:  /go
+      - run: bin/testEnvRootMinikube.sh start
+      - run:
+          command: |
+            if [ ! -f /go/out/linux_amd64/release/pilot-discovery ]; then
+              # Should only happen when re-running a job, and the workspace is gone
+              time make build test-bins
+            fi
+            make docker.all generate_yaml
+      - run: bin/testEnvRootMinikube.sh wait
+      - run: docker images
+      - run: make test/minikube/auth/e2e_pilot_alpha1 HUB="${HUB}" TAG="${TAG}"
+      - run:
+          name: dumpsys
+          when: always
+          command: |
+            # TODO: move to a make target 'dumpsys'.
+            kubectl get all -o wide --all-namespaces
+            kubectl cluster-info dump > /go/out/logs/cluster-info.dump.txt
+            kubectl describe pods -n pilot-auth > /go/out/logs/pods-system.txt
+            kubectl describe pods -n pilot-auth-system > /go/out/logs/pods-test.txt
+            /go/bin/go-junit-report </go/out/tests/test-report-auth-pilot-v1.raw > /go/out/tests/test-report-auth-pilot-v1.xml
+      - store_artifacts:
+          path: /go/out/tests
+      - store_artifacts:
+          path: /go/out/logs
+      - store_artifacts:
+          path: /tmp
+      - store_test_results:
+          path: /go/out/tests
+
   e2e-pilot-v1alpha1-and-v1alpha3:
     <<: *integrationDefaults
     environment:
@@ -647,6 +703,10 @@ workflows:
       - racetest:
           requires:
             - dependencies
+      - e2e-pilot-auth-egress:
+          requires:
+            - build
+
 
   all:
     jobs:

bin/init.sh

@@ -48,17 +48,17 @@ export GOARCH=${GOARCH:-'amd64'}
 LOCAL_OS="`uname`"
 case $LOCAL_OS in
   'Linux')
-    OS='Linux'
+    LOCAL_OS='linux'
     ;;
   'Darwin')
-    OS='Mac'
+    LOCAL_OS='darwin'
     ;;
   *)
     echo "This system's OS ${LOCAL_OS} isn't recognized/supported"
     exit 1
     ;;
 esac
-export GOOS=${GOOS:-LOCAL_OS}
+export GOOS=${GOOS:-${LOCAL_OS}}
 
 # test scripts seem to like to run this script directly rather than use make
 export ISTIO_OUT=${ISTIO_OUT:-${ISTIO_BIN}}
@@ -98,6 +98,10 @@ set_download_command () {
     exit 1
 }
 
+if [ -z ${PROXY_REPO_SHA:-} ] ; then
+  export PROXY_REPO_SHA=$(grep PROXY_REPO_SHA istio.deps  -A 4 | grep lastStableSHA | cut -f 4 -d '"')
+fi
+
 # Normally set by the Makefile.
 ISTIO_ENVOY_VERSION=${ISTIO_ENVOY_VERSION:-${PROXY_REPO_SHA}}
 ISTIO_ENVOY_DEBUG_URL=${ISTIO_ENVOY_DEBUG_URL:-https://storage.googleapis.com/istio-build/proxy/envoy-debug-${ISTIO_ENVOY_VERSION}.tar.gz}
@@ -106,10 +110,10 @@ ISTIO_ENVOY_RELEASE_URL=${ISTIO_ENVOY_RELEASE_URL:-https://storage.googleapis.co
 # Normally set by the Makefile.
 # Variables for the extracted debug/release Envoy artifacts.
 ISTIO_ENVOY_DEBUG_DIR=${ISTIO_ENVOY_DEBUG_DIR:-"${OUT_DIR}/${GOOS}_${GOARCH}/debug"}
-ISTIO_ENVOY_DEBUG_NAME=${ISTIO_ENVOY_DEBUG_NAME:-"envoy-debug-ISTIO_ENVOY_VERSION"}
+ISTIO_ENVOY_DEBUG_NAME=${ISTIO_ENVOY_DEBUG_NAME:-"envoy-debug-$ISTIO_ENVOY_VERSION"}
 ISTIO_ENVOY_DEBUG_PATH=${ISTIO_ENVOY_DEBUG_PATH:-"$ISTIO_ENVOY_DEBUG_DIR/$ISTIO_ENVOY_DEBUG_NAME"}
 ISTIO_ENVOY_RELEASE_DIR=${ISTIO_ENVOY_RELEASE_DIR:-"{OUT_DIR}/${GOOS}_${GOARCH}/release"}
-ISTIO_ENVOY_RELEASE_NAME=${ISTIO_ENVOY_RELEASE_NAME:-"envoy-ISTIO_ENVOY_VERSION"}
+ISTIO_ENVOY_RELEASE_NAME=${ISTIO_ENVOY_RELEASE_NAME:-"envoy-$ISTIO_ENVOY_VERSION"}
 ISTIO_ENVOY_RELEASE_PATH=${ISTIO_ENVOY_RELEASE_PATH:-"$ISTIO_ENVOY_RELEASE_DIR/$ISTIO_ENVOY_RELEASE_NAME"}
 
 # Save envoy in $ISTIO_ENVOY_DIR

bin/testEnvLocalK8S.sh

@@ -13,6 +13,7 @@ export ISTIO_GO=${TOP}/src/istio.io/istio
 export GOPATH=${TOP}
 export PATH=${GOPATH}/bin:${PATH}
 export OUT=${TOP}/out
+export ISTIO_OUT=${ISTIO_OUT:-${TOP}/out/linux_amd64/release}
 
 # components used in the test (starting with circleci for consistency, eventually ci will use this)
 export K8S_VER=${K8S_VER:-v1.9.2}
@@ -114,6 +115,40 @@ function startLocalApiserver() {
     echo "Started local etcd and apiserver !"
 }
 
+function startIstio() {
+    ensureLocalApiServer
+    startPilot
+    startEnvoy
+    startMixer
+}
+
+function stopIstio() {
+  if [[ -f $LOG_DIR/pilot.pid ]] ; then
+    kill -9 $(cat $LOG_DIR/pilot.pid)
+    kill -9 $(cat $LOG_DIR/mixer.pid)
+    kill -9 $(cat $LOG_DIR/envoy4.pid)
+    rm $LOG_DIR/{pilot,mixer,envoy4}.pid
+  fi
+}
+
+function startPilot() {
+  POD_NAME=pilot POD_NAMESPACE=istio-system ${ISTIO_OUT}/pilot-discovery discovery \
+    -n default --kubeconfig .circleci/config &
+  echo $! > $LOG_DIR/pilot.pid
+}
+
+function startMixer() {
+  ${ISTIO_OUT}/mixs server --configStoreURL=fs:${ISTIO_GO}/mixer/testdata/configroot \
+    --kubeconfig .circleci/config &
+  echo $! > $LOG_DIR/mixer.pid
+}
+
+function startEnvoy() {
+    ${ISTIO_OUT}/envoy -c tests/testdata/envoy_local.json \
+        --base-id 4 --service-cluster unittest --service-node local.test
+  echo $! > $LOG_DIR/envoy4.pid
+}
+
 function stopLocalApiserver() {
   if [[ -f $LOG_DIR/etcd.pid ]] ; then
     kill -9 $(cat $LOG_DIR/etcd.pid)
@@ -122,6 +157,12 @@ function stopLocalApiserver() {
   fi
 }
 
+function startLocalServers() {
+    startLocalApiserver
+    startPilot
+    startEnvoy
+}
+
 function ensureLocalApiserver() {
     kubectl get nodes 2>/dev/null || startLocalApiserver
 }
@@ -130,6 +171,8 @@ CMD=${1:-help}
 case "$1" in
     start) startLocalApiserver ;;
     stop) stopLocalApiserver ;;
+    startIstio) startIstio ;;
+    stopIstio) stopIstio ;;
     ensure) ensureLocalApiserver ;;
     *) echo "start stop ensure"
 esac

mixer/template/sample/createinstance_test.go

@@ -687,7 +687,7 @@ func generateReportTests() []createInstanceTest {
 	emptyFieldsParam := sample_report.InstanceParam{
 		// missing all fields
 		Res1: &sample_report.Res1InstanceParam{
-		// missing all fields
+			// missing all fields
 		},
 	}
 	t = createInstanceTest{

mixer/template/sample/template.gen_test.go

@@ -1086,7 +1086,7 @@ func TestProcessReport(t *testing.T) {
 				"foo": &sample_report.InstanceParam{
 					// missing all fields
 					Res1: &sample_report.Res1InstanceParam{
-					// missing all fields
+						// missing all fields
 					},
 				},
 				"bar": &sample_report.InstanceParam{

pilot/docker/envoy_pilot_auth.json

@@ -54,6 +54,33 @@
     },
     "bind_to_port": true
    },
+    {
+      "address": "tcp://0.0.0.0:15011",
+      "name": "tcp_0.0.0.0_15011",
+      "filters": [
+        {
+          "type": "read",
+          "name": "tcp_proxy",
+          "config": {
+            "stat_prefix": "tcp",
+            "route_config": {
+              "routes": [
+                {
+                  "cluster": "in.15010"
+                }
+              ]
+            }
+          }
+        }
+      ],
+      "ssl_context": {
+        "cert_chain_file": "/etc/certs/cert-chain.pem",
+        "private_key_file": "/etc/certs/key.pem",
+        "ca_cert_file": "/etc/certs/root-cert.pem",
+        "require_client_certificate": true
+      },
+      "bind_to_port": true
+    },
    {
     "address": "tcp://0.0.0.0:15007",
     "name": "tcp_0.0.0.0_15007",
@@ -92,6 +119,17 @@
             "url": "tcp://127.0.0.1:8080"
           }
         ]
+      },
+      {
+        "name": "in.15010",
+        "connect_timeout_ms": 1000,
+        "type": "static",
+        "lb_type": "round_robin",
+        "hosts": [
+          {
+            "url": "tcp://127.0.0.1:15010"
+          }
+        ]
       }
     ]
   }

pilot/pkg/bootstrap/monitoring.go

@@ -21,6 +21,8 @@ import (
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
+	envoyv2 "istio.io/istio/pilot/pkg/proxy/envoy/v2"
+
 	"istio.io/istio/pkg/log"
 	"istio.io/istio/pkg/version"
 )
@@ -58,6 +60,7 @@ func startMonitor(port int) (*monitor, error) {
 			log.Errorf("Unable to write version string: %v", err)
 		}
 	})
+	mux.HandleFunc("/debug/edsz", envoyv2.Edsz)
 
 	m.monitoringServer = &http.Server{
 		Handler: mux,

pilot/pkg/bootstrap/server.go

@@ -606,6 +606,7 @@ func (s *Server) initServiceControllers(args *PilotArgs) error {
 	return nil
 }
 func initMemoryRegistry(s *Server, serviceControllers *aggregate.Controller) {
+	// ServiceDiscovery implementation
 	discovery1 := mock.NewDiscovery(
 		map[string]*model.Service{
 			//			mock.HelloService.Hostname: mock.HelloService,
@@ -658,6 +659,7 @@ func (s *Server) initDiscoveryService(args *PilotArgs) error {
 
 	// For now we create the gRPC server sourcing data from Pilot's older data model.
 	s.initGrpcServer()
+	envoy.V2ClearCache = envoyv2.EdsPushAll
 	s.EnvoyXdsServer = envoyv2.NewDiscoveryServer(discovery, s.GRPCServer, environment)
 
 	s.HTTPServer = &http.Server{

pilot/pkg/proxy/envoy/v1/discovery.go

@@ -117,6 +117,10 @@ var (
 	clearCacheTimerSet bool
 	clearCacheMutex    sync.Mutex
 	clearCacheTime     = 1
+
+	// V2ClearCache is a function to be called when the v1 cache is cleared. This is used to
+	// avoid adding a circular dependency from v1 to v2.
+	V2ClearCache func()
 )
 
 func init() {
@@ -486,6 +490,9 @@ func (ds *DiscoveryService) clearCache() {
 	ds.cdsCache.clear()
 	ds.rdsCache.clear()
 	ds.ldsCache.clear()
+	if V2ClearCache != nil {
+		V2ClearCache()
+	}
 }
 
 // ListAllEndpoints responds with all Services and is not restricted to a single service-key