k8s: switch service-related annotations to the service.cilium.io/... …

…form This commit converts the service-related annotations to the service.cilium.io/... form, to match the style adopted by Kubernetes (e.g., kubernetes.io/egress-bandwidth). The old ones are maintained as an alias for backward compatibility, except for the keys associated with proxy load balancing, as not yet documented. Signed-off-by: Marco Iorio <[email protected]>
rockc2020 · Feb 1, 2023 · 1f1f715 · 1f1f715
1 parent 6be2ebb
commit 1f1f715
Show file tree

Hide file tree

Showing 18 changed files with 84 additions and 62 deletions.
diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/Documentation/internals/cilium_operator.rst b/Documentation/internals/cilium_operator.rst
@@ -96,7 +96,7 @@ external KVStore configured for the Cilium Operator if running with
 ``--synchronize-k8s-services`` flag.
 
 The Cilium Operator performs this operation only for shared services (services
-that have ``io.cilium/shared-service`` annotation set to true). This is
+that have ``service.cilium.io/shared`` annotation set to true). This is
 meaningful when running Cilium to setup a ClusterMesh.
 
 K8s Nodes synchronization

diff --git a/Documentation/network/clustermesh/affinity.rst b/Documentation/network/clustermesh/affinity.rst
@@ -18,10 +18,10 @@ Enabling Global Service Affinity
 ################################
 
 Load-balancing across multiple clusters might not be ideal in some cases.
-The annotation ``io.cilium/service-affinity: "local|remote|none"`` can be used
+The annotation ``service.cilium.io/affinity: "local|remote|none"`` can be used
 to specify the preferred endpoint destination.
 
-For example, if the value of annotation ``io.cilium/service-affinity`` is local,
+For example, if the value of annotation ``service.cilium.io/affinity`` is local,
 the Global Service will load-balance across healthy ``local`` backends, and only user
 remote endpoints if and only if all of local backends are not available or unhealthy.
 
@@ -32,15 +32,15 @@ remote endpoints if and only if all of local backends are not available or unhea
    metadata:
      name: rebel-base
      annotations:
-        io.cilium/global-service: "true"
+        service.cilium.io/global: "true"
         # Possible values:
         # - local
         #    preferred endpoints from local cluster if available
         # - remote
         #    preferred endpoints from remote cluster if available
         # none (default)
         #    no preference. Default behavior if this annotation does not exist
-        io.cilium/service-affinity: "local"
+        service.cilium.io/affinity: "local"
    spec:
      type: ClusterIP
      ports:
@@ -49,11 +49,11 @@ remote endpoints if and only if all of local backends are not available or unhea
        name: rebel-base
 
 
-1. In cluster 1, add ``io.cilium/service-affinity="local"`` to existing global service
+1. In cluster 1, add ``service.cilium.io/affinity="local"`` to existing global service
 
    .. code-block:: shell-session
 
-      kubectl annotate service rebel-base io.cilium/service-affinity=local --overwrite
+      kubectl annotate service rebel-base service.cilium.io/affinity=local --overwrite
 
 2. From cluster 1, access the global service:
 
@@ -90,11 +90,11 @@ remote endpoints if and only if all of local backends are not available or unhea
                                               3 => 10.244.2.31:80 (active) (preferred)
                                               4 => 10.244.2.200:80 (active)
 
-5. In cluster 1, change ``io.cilium/service-affinity`` value to ``remote`` for existing global service
+5. In cluster 1, change ``service.cilium.io/affinity`` value to ``remote`` for existing global service
 
    .. code-block:: shell-session
 
-      kubectl annotate service rebel-base io.cilium/service-affinity=remote --overwrite
+      kubectl annotate service rebel-base service.cilium.io/affinity=remote --overwrite
 
 6. From cluster 1, access the global service:
 
@@ -131,11 +131,11 @@ remote endpoints if and only if all of local backends are not available or unhea
 
    You will see replies from pods in both clusters as usual.
 
-9. In cluster 1, remove ``io.cilium/service-affinity`` annotation for existing global service
+9. In cluster 1, remove ``service.cilium.io/affinity`` annotation for existing global service
 
    .. code-block:: shell-session
 
-      kubectl annotate service rebel-base io.cilium/service-affinity- --overwrite
+      kubectl annotate service rebel-base service.cilium.io/affinity- --overwrite
 
 10. From either cluster, access the global service:
 

diff --git a/Documentation/network/clustermesh/services.rst b/Documentation/network/clustermesh/services.rst
@@ -18,7 +18,7 @@ Load-balancing with Global Services
 
 Establishing load-balancing between clusters is achieved by defining a
 Kubernetes service with identical name and namespace in each cluster and adding
-the annotation ``io.cilium/global-service: "true"`` to declare it global.
+the annotation ``service.cilium.io/global: "true"`` to declare it global.
 Cilium will automatically perform load-balancing to pods in both clusters.
 
 .. literalinclude:: ../../../examples/kubernetes/clustermesh/global-service-example/rebel-base-global-shared.yaml
@@ -28,7 +28,7 @@ Disabling Global Service Sharing
 ################################
 
 By default, a Global Service will load-balance across backends in multiple clusters.
-This implicitly configures ``io.cilium/shared-service: "true"``. To prevent service
+This implicitly configures ``service.cilium.io/shared: "true"``. To prevent service
 backends from being shared to other clusters, this option should be disabled.
 
 Below example will expose remote endpoint without sharing local endpoints.
@@ -40,8 +40,8 @@ Below example will expose remote endpoint without sharing local endpoints.
    metadata:
      name: rebel-base
      annotations:
-       io.cilium/global-service: "true"
-       io.cilium/shared-service: "false"
+       service.cilium.io/global: "true"
+       service.cilium.io/shared: "false"
    spec:
      type: ClusterIP
      ports:
@@ -75,11 +75,11 @@ Deploying a Simple Example Service
 
    You will see replies from pods in both clusters.
 
-4. In cluster 1, add ``io.cilium/shared-service="false"`` to existing global service
+4. In cluster 1, add ``service.cilium.io/shared="false"`` to existing global service
 
    .. code-block:: shell-session
 
-      kubectl annotate service rebel-base io.cilium/shared-service="false" --overwrite
+      kubectl annotate service rebel-base service.cilium.io/shared="false" --overwrite
 
 5. From cluster 1, access the global service one more time:
 
@@ -97,11 +97,11 @@ Deploying a Simple Example Service
 
    You will see replies from pods only from cluster 2, as the global service in cluster 1 is no longer shared.
 
-7. In cluster 1, remove ``io.cilium/shared-service`` annotation of existing global service
+7. In cluster 1, remove ``service.cilium.io/shared`` annotation of existing global service
 
    .. code-block:: shell-session
 
-      kubectl annotate service rebel-base io.cilium/shared-service-
+      kubectl annotate service rebel-base service.cilium.io/shared-
 
 8. From either cluster, access the global service:
 

diff --git a/clustermesh-apiserver/test/mock.json b/clustermesh-apiserver/test/mock.json
@@ -11,5 +11,5 @@
 {"kind": "CiliumIdentity", "metadata": {"name": "1111"}, "security-labels": {"name": "id1"}}
 {"kind": "CiliumIdentity", "metadata": {"name": "2222"}, "security-labels": {"name": "id2"}}
 {"kind": "CiliumIdentity", "metadata": {"name": "3333"}, "security-labels": {"name": "id3"}}
-{"kind": "Service", "metadata": {"name": "foo", "namespace": "default", "annotations": {"io.cilium/global-service": "true"}}, "spec": {"clusterIP": "20.10.10.10", "ports": [{"name": "https", "port": 443, "protocol": "TCP", "targetPort": 443}], "type": "ClusterIP"}}
+{"kind": "Service", "metadata": {"name": "foo", "namespace": "default", "annotations": {"service.cilium.io/global": "true"}}, "spec": {"clusterIP": "20.10.10.10", "ports": [{"name": "https", "port": 443, "protocol": "TCP", "targetPort": 443}], "type": "ClusterIP"}}
 {"kind": "Endpoints", "metadata": {"name": "foo", "namespace": "default"}, "subsets": [{"addresses": [{"ip": "34.90.138.138"}], "ports": [{"name": "https", "port": 443, "protocol": "TCP"}]}]}
diff --git a/examples/kubernetes/clustermesh/global-service-example/cluster1.yaml b/examples/kubernetes/clustermesh/global-service-example/cluster1.yaml
@@ -4,7 +4,7 @@ kind: Service
 metadata:
   name: rebel-base
   annotations:
-    io.cilium/global-service: "true"
+    service.cilium.io/global: "true"
 spec:
   type: ClusterIP
   ports:

diff --git a/examples/kubernetes/clustermesh/global-service-example/cluster2.yaml b/examples/kubernetes/clustermesh/global-service-example/cluster2.yaml
@@ -4,7 +4,7 @@ kind: Service
 metadata:
   name: rebel-base
   annotations:
-    io.cilium/global-service: "true"
+    service.cilium.io/global: "true"
 spec:
   type: ClusterIP
   ports:

diff --git a/examples/kubernetes/clustermesh/global-service-example/rebel-base-global-shared.yaml b/examples/kubernetes/clustermesh/global-service-example/rebel-base-global-shared.yaml
@@ -3,7 +3,7 @@ kind: Service
 metadata:
   name: rebel-base
   annotations:
-    io.cilium/global-service: "true"
+    service.cilium.io/global: "true"
 spec:
   type: ClusterIP
   ports:

diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
@@ -420,8 +420,8 @@ contributors across the globe, there is almost always someone available to help.
 | livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | loadBalancer | object | `{"l7":{"algorithm":"round_robin","backend":"disabled","ports":[]}}` | Configure service load balancing |
 | loadBalancer.l7 | object | `{"algorithm":"round_robin","backend":"disabled","ports":[]}` | L7 LoadBalancer |
-| loadBalancer.l7.algorithm | string | `"round_robin"` | Default LB algorithm The default LB algorithm to be used for services, which can be overridden by the service annotation (e.g. io.cilium.service/lb-algorithm) Applicable values: round_robin, least_request, random |
-| loadBalancer.l7.backend | string | `"disabled"` | Enable L7 service load balancing via envoy proxy. The request to a k8s service, which has specific annotation e.g. io.cilium.service/lb-protocol, will be forwarded to the local backend proxy to be load balanced to the service endpoints. Please refer to docs for supported annotations for more configuration.  Applicable values:   - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well.   - disabled: Disable L7 load balancing. |
+| loadBalancer.l7.algorithm | string | `"round_robin"` | Default LB algorithm The default LB algorithm to be used for services, which can be overridden by the service annotation (e.g. service.cilium.io/lb-l7-algorithm) Applicable values: round_robin, least_request, random |
+| loadBalancer.l7.backend | string | `"disabled"` | Enable L7 service load balancing via envoy proxy. The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, will be forwarded to the local backend proxy to be load balanced to the service endpoints. Please refer to docs for supported annotations for more configuration.  Applicable values:   - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well.   - disabled: Disable L7 load balancing. |
 | loadBalancer.l7.ports | list | `[]` | List of ports from service to be automatically redirected to above backend. Any service exposing one of these ports will be automatically redirected. Fine-grained control can be achieved by using the service annotation. |
 | localRedirectPolicy | bool | `false` | Enable Local Redirect Policy. |
 | logSystemLoad | bool | `false` | Enables periodic logging of system load |

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
@@ -1575,7 +1575,7 @@ loadBalancer:
   # -- L7 LoadBalancer
   l7:
     # -- Enable L7 service load balancing via envoy proxy.
-    # The request to a k8s service, which has specific annotation e.g. io.cilium.service/lb-protocol,
+    # The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7,
     # will be forwarded to the local backend proxy to be load balanced to the service endpoints.
     # Please refer to docs for supported annotations for more configuration.
     #
@@ -1589,7 +1589,7 @@ loadBalancer:
     ports: []
     # -- Default LB algorithm
     # The default LB algorithm to be used for services, which can be overridden by the
-    # service annotation (e.g. io.cilium.service/lb-algorithm)
+    # service annotation (e.g. service.cilium.io/lb-l7-algorithm)
     # Applicable values: round_robin, least_request, random
     algorithm: round_robin
 

diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
@@ -1572,7 +1572,7 @@ loadBalancer:
   # -- L7 LoadBalancer
   l7:
     # -- Enable L7 service load balancing via envoy proxy.
-    # The request to a k8s service, which has specific annotation e.g. io.cilium.service/lb-protocol,
+    # The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7,
     # will be forwarded to the local backend proxy to be load balanced to the service endpoints.
     # Please refer to docs for supported annotations for more configuration.
     #
@@ -1586,7 +1586,7 @@ loadBalancer:
     ports: []
     # -- Default LB algorithm
     # The default LB algorithm to be used for services, which can be overridden by the
-    # service annotation (e.g. io.cilium.service/lb-algorithm)
+    # service annotation (e.g. service.cilium.io/lb-l7-algorithm)
     # Applicable values: round_robin, least_request, random
     algorithm: round_robin
 

diff --git a/operator/pkg/ciliumenvoyconfig/annotations.go b/operator/pkg/ciliumenvoyconfig/annotations.go
@@ -16,9 +16,8 @@ import (
 )
 
 const (
-	servicePrefixAnnotation = annotation.Prefix + ".service"
-	lbEnabledAnnotation     = servicePrefixAnnotation + "/lb-l7"
-	lbModeAnnotation        = servicePrefixAnnotation + "/lb-l7-algorithm"
+	lbEnabledAnnotation = annotation.ServicePrefix + "/lb-l7"
+	lbModeAnnotation    = annotation.ServicePrefix + "/lb-l7-algorithm"
 )
 
 type clusterMutator func(*envoy_config_cluster_v3.Cluster) *envoy_config_cluster_v3.Cluster

diff --git a/pkg/annotation/k8s.go b/pkg/annotation/k8s.go
@@ -9,6 +9,9 @@ const (
 	// Prefix is the common prefix for all annotations
 	Prefix = "io.cilium"
 
+	// ServicePrefix is the common prefix for service related annotations.
+	ServicePrefix = "service.cilium.io"
+
 	// Name is an optional annotation to the NetworkPolicy
 	// resource which specifies the name of the policy node to which all
 	// rules should be applied to.
@@ -47,26 +50,30 @@ const (
 	// key of the cilium host interface in the node's annotation.
 	CiliumEncryptionKey = Prefix + ".network.encryption-key"
 
-	// GlobalService if set to true, marks a service to become a global
-	// service
-	GlobalService = Prefix + "/global-service"
+	// GlobalService / GlobalServiceAlias if set to true, marks a service to
+	// become a global service.
+	GlobalService      = ServicePrefix + "/global"
+	GlobalServiceAlias = Prefix + "/global-service"
 
-	// SharedService if set to false, prevents a service from being shared,
-	// the default is true if GlobalService is set, otherwise false,
-	// Setting the annotation SharedService to false while setting
+	// SharedService / SharedServiceAlias if set to false, prevents a service
+	// from being shared, the default is true if GlobalService is set, otherwise
+	// false. Setting the annotation SharedService to false while setting
 	// GlobalService to true allows to expose remote endpoints without
 	// sharing local endpoints.
-	SharedService = Prefix + "/shared-service"
+	SharedService      = ServicePrefix + "/shared"
+	SharedServiceAlias = Prefix + "/shared-service"
 
-	// ServiceAffinity annotations determines the preferred endpoint destination
+	// ServiceAffinity / ServiceAffinityAlias annotations determines the
+	// preferred endpoint destination.
 	// Allowed values:
 	//  - local
 	//		preferred endpoints from local cluster if available
 	//  - remote
 	// 		preferred endpoints from remote cluster if available
 	//  - none (default)
 	//		no preference. Default behavior if this annotation does not exist
-	ServiceAffinity = Prefix + "/service-affinity"
+	ServiceAffinity      = ServicePrefix + "/affinity"
+	ServiceAffinityAlias = Prefix + "/service-affinity"
 
 	// ProxyVisibility is the annotation name used to indicate whether proxy
 	// visibility should be enabled for a given pod (i.e., all traffic for the

diff --git a/pkg/clustermesh/services_test.go b/pkg/clustermesh/services_test.go
@@ -157,7 +157,7 @@ func (s *ClusterMeshServicesTestSuite) TestClusterMeshServicesGlobal(c *C) {
 			Name:      "foo",
 			Namespace: "default",
 			Annotations: map[string]string{
-				"io.cilium/global-service": "true",
+				"service.cilium.io/global": "true",
 			},
 		},
 		Spec: slim_corev1.ServiceSpec{
@@ -233,7 +233,7 @@ func (s *ClusterMeshServicesTestSuite) TestClusterMeshServicesUpdate(c *C) {
 			Name:      "foo",
 			Namespace: "default",
 			Annotations: map[string]string{
-				"io.cilium/global-service": "true",
+				"service.cilium.io/global": "true",
 			},
 		},
 		Spec: slim_corev1.ServiceSpec{

diff --git a/pkg/k8s/factory_functions_test.go b/pkg/k8s/factory_functions_test.go
@@ -888,7 +888,7 @@ func (s *K8sSuite) Test_EqualV1Service(c *C) {
 				o2: &slim_corev1.Service{
 					ObjectMeta: slim_metav1.ObjectMeta{
 						Annotations: map[string]string{
-							"io.cilium/shared-service": "true",
+							"service.cilium.io/shared": "true",
 						},
 					},
 				},

diff --git a/pkg/k8s/service.go b/pkg/k8s/service.go
@@ -36,7 +36,7 @@ const (
 )
 
 func getAnnotationIncludeExternal(svc *slim_corev1.Service) bool {
-	if value, ok := svc.ObjectMeta.Annotations[annotation.GlobalService]; ok {
+	if value, ok := annotation.Get(svc, annotation.GlobalService, annotation.GlobalServiceAlias); ok {
 		return strings.ToLower(value) == "true"
 	}
 
@@ -49,7 +49,7 @@ func getAnnotationShared(svc *slim_corev1.Service) bool {
 		return false
 	}
 
-	if value, ok := svc.ObjectMeta.Annotations[annotation.SharedService]; ok {
+	if value, ok := annotation.Get(svc, annotation.SharedService, annotation.SharedServiceAlias); ok {
 		return strings.ToLower(value) == "true"
 	}
 
@@ -63,9 +63,10 @@ func getAnnotationServiceAffinity(svc *slim_corev1.Service) string {
 		return serviceAffinityNone
 	}
 
-	if value, ok := svc.ObjectMeta.Annotations[annotation.ServiceAffinity]; ok {
+	if value, ok := annotation.Get(svc, annotation.ServiceAffinity, annotation.ServiceAffinityAlias); ok {
 		return strings.ToLower(value)
 	}
+
 	return serviceAffinityNone
 }
 

diff --git a/pkg/k8s/service_cache_test.go b/pkg/k8s/service_cache_test.go
@@ -335,7 +335,7 @@ func (s *K8sSuite) TestExternalServiceMerging(c *check.C) {
 			Name:      "foo",
 			Namespace: "bar",
 			Annotations: map[string]string{
-				"io.cilium/global-service": "true",
+				"service.cilium.io/global": "true",
 			},
 		},
 		Spec: slim_corev1.ServiceSpec{
@@ -598,7 +598,7 @@ func (s *K8sSuite) TestExternalServiceMerging(c *check.C) {
 					"foo": "bar",
 				},
 				Annotations: map[string]string{
-					"io.cilium/global-service": "true",
+					"service.cilium.io/global": "true",
 				},
 			},
 			Spec: slim_corev1.ServiceSpec{
@@ -777,7 +777,7 @@ func (s *K8sSuite) TestNonSharedService(c *check.C) {
 			Name:      "foo",
 			Namespace: "bar",
 			Annotations: map[string]string{
-				"io.cilium/global-service": "false",
+				"service.cilium.io/global": "false",
 			},
 		},
 		Spec: slim_corev1.ServiceSpec{