feat(node metadata): add bits to extract metadata via sidecar injector (

istio#15551) * feat(node metadata): add bits to extract metadata via sidecar injector * add deployment case and update golden files * rebase cleanup * wip: update of logic around metadata and owner * update metadata capture and add exchange keys metadata * update golden files
mfilipiak-ccg · Aug 16, 2019 · 2a66836 · 2a66836
1 parent c53cd52
commit 2a66836
Show file tree

Hide file tree

Showing 83 changed files with 645 additions and 54 deletions.
diff --git a/install/kubernetes/helm/istio/files/injection-template.yaml b/install/kubernetes/helm/istio/files/injection-template.yaml
@@ -168,6 +168,10 @@ containers:
     valueFrom:
       fieldRef:
         fieldPath: status.podIP
+  - name: SERVICE_ACCOUNT
+    valueFrom:
+      fieldRef:
+        fieldPath: spec.serviceAccountName
 {{ if eq .Values.global.proxy.tracer "datadog" }}
   - name: HOST_IP
     valueFrom:
@@ -200,6 +204,14 @@ containers:
     value: |
            {{ toJSON .ObjectMeta.Labels }}
   {{ end }}
+  {{- if .DeploymentMeta.Name }}
+  - name: ISTIO_META_WORKLOAD_NAME
+    value: {{ .DeploymentMeta.Name }}
+  {{ end }}
+  {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+  - name: ISTIO_META_OWNER
+    value: kubernetes://api/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}/{{ .DeploymentMeta.Name }}
+   {{- end}}
   {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
   - name: ISTIO_BOOTSTRAP_OVERRIDE
     value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"

diff --git a/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected b/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected
@@ -62,6 +62,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+            - name: SERVICE_ACCOUNT
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.serviceAccountName
             - name: ISTIO_META_POD_NAME
               valueFrom:
                 fieldRef:

diff --git a/pilot/pkg/model/context.go b/pilot/pkg/model/context.go
@@ -532,6 +532,35 @@ const (
 	// NodeMetadataIdleTimeout specifies the idle timeout for the proxy, in duration format (10s).
 	// If not set, no timeout is set.
 	NodeMetadataIdleTimeout = "IDLE_TIMEOUT"
+
+	// NodeMetadataCanonicalTelemetryService specifies the service name to use for all node telemetry.
+	NodeMetadataCanonicalTelemetryService = "CANONICAL_TELEMETRY_SERVICE"
+
+	// NodeMetadataLabels specifies the set of workload instance (ex: k8s pod) labels associated with this node.
+	NodeMetadataLabels = "LABELS"
+
+	// NodeMetadataWorkloadName specifies the name of the workload represented by this node.
+	NodeMetadataWorkloadName = "WORKLOAD_NAME"
+
+	// NodeMetadataOwner specifies the workload owner (opaque string). Typically, this is the owning controller of
+	// of the workload instance (ex: k8s deployment for a k8s pod).
+	NodeMetadataOwner = "OWNER"
+
+	// NodeMetadataServiceAccount specifies the service account which is running the workload.
+	NodeMetadataServiceAccount = "SERVICE_ACCOUNT"
+
+	// NodeMetadataPlatformMetadata contains any platform specific metadata
+	NodeMetadataPlatformMetadata = "PLATFORM_METADATA"
+
+	// NodeMetadataInstanceName is the short name for the workload instance (ex: pod name)
+	NodeMetadataInstanceName = "NAME" // replaces POD_NAME
+
+	// NodeMetadataNamespace is the namespace in which the workload instance is running.
+	NodeMetadataNamespace = "NAMESPACE" // replaces CONFIG_NAMESPACE
+
+	// NodeMetadataExchangeKeys specifies a list of metadata keys that should be used for Node Metadata Exchange.
+	// The list is comma-separated.
+	NodeMetadataExchangeKeys = "EXCHANGE_KEYS"
 )
 
 // TrafficInterceptionMode indicates how traffic to/from the workload is captured and

diff --git a/pkg/bootstrap/bootstrap_config.go b/pkg/bootstrap/bootstrap_config.go
@@ -32,21 +32,19 @@ import (
 	"github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
 	"github.com/gogo/protobuf/types"
 	"github.com/pkg/errors"
-
 	"golang.org/x/oauth2/google"
 
 	"istio.io/api/annotation"
 	meshconfig "istio.io/api/mesh/v1alpha1"
 	networking "istio.io/api/networking/v1alpha3"
-	"istio.io/pkg/env"
-	"istio.io/pkg/log"
-
 	"istio.io/istio/pilot/pkg/model"
 	"istio.io/istio/pilot/pkg/networking/util"
 	"istio.io/istio/pkg/bootstrap/auth"
 	"istio.io/istio/pkg/bootstrap/platform"
 	"istio.io/istio/pkg/config/constants"
 	"istio.io/istio/pkg/spiffe"
+	"istio.io/pkg/env"
+	"istio.io/pkg/log"
 )
 
 // Generate the envoy v2 bootstrap configuration, using template.
@@ -75,6 +73,20 @@ var (
 	// required stats are used by readiness checks.
 	requiredEnvoyStatsMatcherInclusionPrefixes = "cluster_manager,listener_manager,http_mixer_filter,tcp_mixer_filter,server,cluster.xds-grpc"
 	requiredEnvoyStatsMatcherInclusionSuffix   = "ssl_context_update_by_sds"
+
+	metadataExchangeKeys = strings.Join(
+		[]string{
+			model.NodeMetadataInstanceName,
+			model.NodeMetadataNamespace,
+			model.NodeMetadataInstanceIPs,
+			model.NodeMetadataLabels,
+			model.NodeMetadataOwner,
+			model.NodeMetadataPlatformMetadata,
+			model.NodeMetadataWorkloadName,
+			model.NodeMetadataCanonicalTelemetryService,
+			model.NodeMetadataMeshID,
+			model.NodeMetadataServiceAccount,
+		}, ",")
 )
 
 // substituteValues substitutes variables known to the boostrap like pod_ip.
@@ -229,22 +241,10 @@ func extractMetadata(envs []string, prefix string, set setMetaFunc, meta map[str
 	}
 }
 
-type istioMetadata struct {
-	CanonicalTelemetryService string            `json:"canonical_telemetry_service,omitempty"`
-	IP                        string            `json:"ip,omitempty"`
-	Labels                    map[string]string `json:"labels,omitempty"`
-	Name                      string            `json:"name,omitempty"`
-	Namespace                 string            `json:"namespace,omitempty"`
-	ServiceAccount            string            `json:"service_account,omitempty"`
-	PlatformMetadata          map[string]string `json:"platform_metadata,omitempty"`
-}
-
 func shouldExtract(envVar, prefix string) bool {
-	// this will allow transition from current method of exposition in the future
-	// Example:
-	// if strings.HasPrefix(envVar, "ISTIO_METAJSON_LABELS") {
-	// 	return false
-	// }
+	if strings.HasPrefix(envVar, "ISTIO_META_WORKLOAD") {
+		return false
+	}
 	return strings.HasPrefix(envVar, prefix)
 }
 
@@ -268,27 +268,34 @@ func jsonStringToMap(jsonStr string) (m map[string]string) {
 	return
 }
 
-func extractIstioMetadata(envVars []string, plat platform.Environment) istioMetadata {
-	im := istioMetadata{}
+func extractAttributesMetadata(envVars []string, plat platform.Environment, meta map[string]interface{}) {
 	for _, varStr := range envVars {
 		name, val := parseEnvVar(varStr)
 		switch name {
-		case "INSTANCE_IP":
-			im.IP = val
 		case "ISTIO_METAJSON_LABELS":
 			m := jsonStringToMap(val)
-			im.Labels = m
-			im.CanonicalTelemetryService = m["istioTelemetryService"]
+			if len(m) > 0 {
+				meta[model.NodeMetadataLabels] = m
+				if telemetrySvc := m["istioTelemetryService"]; len(telemetrySvc) > 0 {
+					meta[model.NodeMetadataCanonicalTelemetryService] = m["istioTelemetryService"]
+				}
+			}
 		case "POD_NAME":
-			im.Name = val
+			meta[model.NodeMetadataInstanceName] = val
 		case "POD_NAMESPACE":
-			im.Namespace = val
+			meta[model.NodeMetadataNamespace] = val
+		case "ISTIO_META_OWNER":
+			meta[model.NodeMetadataOwner] = val
+		case "ISTIO_META_WORKLOAD_NAME":
+			meta[model.NodeMetadataWorkloadName] = val
+		case "SERVICE_ACCOUNT":
+			meta[model.NodeMetadataServiceAccount] = val
 		}
 	}
-	if plat != nil {
-		im.PlatformMetadata = plat.Metadata()
+	if plat != nil && len(plat.Metadata()) > 0 {
+		meta[model.NodeMetadataPlatformMetadata] = plat.Metadata()
 	}
-	return im
+	meta[model.NodeMetadataExchangeKeys] = metadataExchangeKeys
 }
 
 // getNodeMetaData function uses an environment variable contract
@@ -310,7 +317,7 @@ func getNodeMetaData(envs []string, plat platform.Environment) map[string]interf
 	}, meta)
 	meta["istio"] = "sidecar"
 
-	meta["istio.io/metadata"] = extractIstioMetadata(envs, plat)
+	extractAttributesMetadata(envs, plat, meta)
 
 	return meta
 }

diff --git a/pkg/bootstrap/bootstrap_config_test.go b/pkg/bootstrap/bootstrap_config_test.go
@@ -36,6 +36,7 @@ import (
 	"istio.io/api/annotation"
 	meshconfig "istio.io/api/mesh/v1alpha1"
 	ocv1 "istio.io/gogo-genproto/opencensus/proto/trace/v1"
+	"istio.io/istio/pilot/pkg/model"
 	"istio.io/istio/pkg/bootstrap/platform"
 	"istio.io/istio/pkg/test/env"
 )
@@ -632,13 +633,12 @@ func TestNodeMetadata(t *testing.T) {
 	plat := &fakePlatform{meta: map[string]string{"some_env": "foo", "other_env": "bar"}}
 
 	wantMap := map[string]interface{}{
-		"istio": "sidecar",
-		"istio.io/metadata": istioMetadata{
-			Labels:           labels,
-			PlatformMetadata: map[string]string{"some_env": "foo", "other_env": "bar"},
-		},
-		"l1": "v1",
-		"l2": "v2",
+		"istio":                            "sidecar",
+		model.NodeMetadataExchangeKeys:     metadataExchangeKeys,
+		model.NodeMetadataLabels:           labels,
+		model.NodeMetadataPlatformMetadata: map[string]string{"some_env": "foo", "other_env": "bar"},
+		"l1":                               "v1",
+		"l2":                               "v2",
 	}
 
 	_, envs := createEnv(t, labels, nil)

diff --git a/pkg/bootstrap/testdata/all_golden.json b/pkg/bootstrap/testdata/all_golden.json
@@ -3,7 +3,7 @@
     "id": "sidecar~1.2.3.4~foo~bar",
     "cluster": "istio-proxy",
     "locality": {},
-    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","istio.io/metadata":{}}
+    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"}
   },
   "stats_config": {
     "use_all_default_tags": false,

diff --git a/pkg/bootstrap/testdata/auth_golden.json b/pkg/bootstrap/testdata/auth_golden.json
@@ -6,7 +6,7 @@
     "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6", "istio":"sidecar",
       "ISTIO_META_SDS": "1",
       "ISTIO_META_TRUSTJWT": "1",
-      "istio.io/metadata":{}}
+      "EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"}
   },
   "stats_config": {
     "use_all_default_tags": false,

diff --git a/pkg/bootstrap/testdata/default_golden.json b/pkg/bootstrap/testdata/default_golden.json
@@ -3,7 +3,7 @@
     "id": "sidecar~1.2.3.4~foo~bar",
     "cluster": "istio-proxy",
     "locality": {},
-    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","istio.io/metadata":{}}
+    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"}
   },
   "stats_config": {
     "use_all_default_tags": false,

diff --git a/pkg/bootstrap/testdata/running_golden.json b/pkg/bootstrap/testdata/running_golden.json
@@ -20,15 +20,13 @@
       "istio":"sidecar",
       "istio.io/insecurepath":"{\"paths\":[\"/metrics\",\"/live\"]}",
       "istio-locality": "regionA.zoneB.sub_zoneC",
-      "istio.io/metadata": {
-        "ip": "10.10.10.1",
-        "name" : "svc-0-0-0-6944fb884d-4pgx8",
-        "namespace": "test",
-        "labels": {
+      "EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT",
+      "NAME": "svc-0-0-0-6944fb884d-4pgx8",
+      "NAMESPACE": "test",
+      "LABELS": {
           "version": "v1alpha1",
           "app": "test",
           "istio-locality": "regionA.zoneB.sub_zoneC"
-        }
       }
     }
   },

diff --git a/pkg/bootstrap/testdata/stats_inclusion_golden.json b/pkg/bootstrap/testdata/stats_inclusion_golden.json
@@ -3,7 +3,7 @@
     "id": "sidecar~1.2.3.4~foo~bar",
     "cluster": "istio-proxy",
     "locality": {},
-    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","istio.io/metadata":{},"sidecar.istio.io/statsInclusionPrefixes":"cluster_manager,cluster.xds-grpc,listener."}
+    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","sidecar.istio.io/statsInclusionPrefixes":"cluster_manager,cluster.xds-grpc,listener.","EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"}
   },
   "stats_config": {
     "use_all_default_tags": false,

diff --git a/pkg/bootstrap/testdata/tracing_datadog_golden.json b/pkg/bootstrap/testdata/tracing_datadog_golden.json
@@ -7,7 +7,7 @@
 
 
     },
-    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","istio.io/metadata":{}}
+    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"}
   },
   "stats_config": {
     "use_all_default_tags": false,

diff --git a/pkg/bootstrap/testdata/tracing_lightstep_golden.json b/pkg/bootstrap/testdata/tracing_lightstep_golden.json
@@ -3,7 +3,7 @@
     "id": "sidecar~1.2.3.4~foo~bar",
     "cluster": "istio-proxy",
     "locality": {},
-    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","istio.io/metadata":{}}
+    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"}
   },
   "stats_config": {
     "use_all_default_tags": false,

diff --git a/pkg/bootstrap/testdata/tracing_stackdriver_golden.json b/pkg/bootstrap/testdata/tracing_stackdriver_golden.json
@@ -3,7 +3,7 @@
     "id": "sidecar~1.2.3.4~foo~bar",
     "cluster": "istio-proxy",
     "locality": {},
-    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","istio.io/metadata":{}}
+    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"}
   },
   "stats_config": {
     "use_all_default_tags": false,

diff --git a/pkg/bootstrap/testdata/tracing_zipkin_golden.json b/pkg/bootstrap/testdata/tracing_zipkin_golden.json
@@ -3,7 +3,7 @@
     "id": "sidecar~1.2.3.4~foo~bar",
     "cluster": "istio-proxy",
     "locality": {},
-    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","istio.io/metadata":{}}
+    "metadata": {"INSTANCE_IPS":"10.3.3.3,10.4.4.4,10.5.5.5,10.6.6.6","istio":"sidecar","EXCHANGE_KEYS":"NAME,NAMESPACE,INSTANCE_IPS,LABELS,OWNER,PLATFORM_METADATA,WORKLOAD_NAME,CANONICAL_TELEMETRY_SERVICE,MESH_ID,SERVICE_ACCOUNT"}
   },
   "stats_config": {
     "use_all_default_tags": false,