profile
viewpoint

guptasu/api 0

API, config definitions and standard vocabulary definitions for the Istio project

guptasu/api-models 0

Repository for API models in Swagger 2.0 format

guptasu/argo 0

ArgoProj: Get stuff done with Kubernetes.

guptasu/aws-apigateway-swagger-importer 0

Tools to work with Amazon API Gateway and Swagger

guptasu/contrib 0

Community contributions to support the core Istio project.

guptasu/gcloud-java 0

Google Cloud Client Library for Java

guptasu/gnostic 0

Compile OpenAPI descriptions into equivalent Protocol Buffer representations.

issue openedgoogleapis/gax-dotnet

Include container_name in the GKE monitored resource

The GKE monitored resource gets most of the labels correct, but misses container_name

created time in 4 hours

issue openedgoogleapis/gax-dotnet

Detect GKE platform with Windows containers

Currently Platform.Instance() fails to correctly detect GKE on Windows.

created time in 5 hours

issue openedistio/api

Add more match_type in StringMatch

(This is used to request new product features, please visit https://discuss.istio.io for questions on using Istio)

Describe the feature request Current StringMatch match_type only supoort exact/prefix/regex, envoy support more match type. Add range match or suffix match in match_type maybe a good idea.

Describe alternatives you've considered

Affected product area (please put an X in all that apply)

[x] Configuration Infrastructure [ ] Docs [ ] Installation [ ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience

Additional context

created time in 14 hours

issue commentistio/api

Add annotation feature status "RETIRED"

reassigning to @brian-avery who is taking over this work.

nmittler

comment created time in 19 hours

push eventgoogleapis/gax-java

release-please[bot]

commit sha 48f99ae9333e617fab95dffdb4e457ec91e303f4

chore: release 1.60.2-SNAPSHOT (#1253) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>

view details

push time in 20 hours

delete branch googleapis/gax-java

delete branch : release-v1.60.2-SNAPSHOT

delete time in 20 hours

PR merged googleapis/gax-java

chore: release 1.60.2-SNAPSHOT cla: yes kokoro:force-run type: process

:robot: I have created a release *beep* *boop*

Updating meta-information for bleeding-edge SNAPSHOT release.


This PR was generated with Release Please.

+24 -24

1 comment

10 changed files

release-please[bot]

pr closed time in 20 hours

pull request commentistio/api

Add config to enable application logs formatted for stackdriver

@douglas-reid : Using log-as-json does solve problems of logs getting split into multiple lines and log not getting marked correctly as error if it is an error. Ex: https://screenshot.googleplex.com/AdyyxCxtAhDoGrM.

gargnupur

comment created time in a day

Pull request review commentgoogleapis/gax-java

feat: add mtls feature to http and grpc transport provider

 private ManagedChannel createSingleChannel() throws IOException {             .intercept(metadataHandlerInterceptor)             .userAgent(headerInterceptor.getUserAgentHeader())             .executor(executor);+    SslContext sslContext = createSslContext();+    if (sslContext != null) {+      builder = ((NettyChannelBuilder) builder).sslContext(sslContext);

The only way this would be safe is if this builder was created with a method like NettyChannelBuilder.forTarget(). If you use ManagedChannelBuilder.forTarget() then there are no guarantees the type of object returned and that can change based on the environment or every process.

arithmetic1728

comment created time in a day

pull request commentgoogleapis/gax-java

feat: add mtls feature to http and grpc transport provider

As I mentioned in grpc/grpc-java#7667, even non-shaded Netty is a no-no for gax, as it is unstable API. Gax should really be using https://github.com/grpc/grpc-java-api-checker, to make that sort of bug a compile error. Discussion about which API to use (there isn't one currently) will continue on grpc/grpc-java#7667

arithmetic1728

comment created time in a day

push eventgoogleapis/artman

Romario Maxwell

commit sha 46ab071ea1339774e18f64be148bde5e02afec76

Fix typo in installing.rst (#852)

view details

push time in 4 days

PR merged googleapis/artman

Fix typo in installing.rst cla: yes
+1 -1

0 comment

1 changed file

macsual

pr closed time in 4 days

push eventistio/api

Istio Automation

commit sha ff38285ef31b78e59409db032b5228178ab06128

Automator: update common-files@release-1.7 in istio/api@release-1.7 (#1764)

view details

push time in 5 days

PR merged istio/api

Automator: update common-files@release-1.7 in istio/api@release-1.7 auto-merge cla: yes release-notes-none size/XS

Generated by Automator - 2020-11-26T13:16:37+00:00

+2 -2

0 comment

2 changed files

istio-testing

pr closed time in 5 days

PR opened istio/api

Automator: update common-files@release-1.7 in istio/api@release-1.7

Generated by Automator - 2020-11-26T13:16:37+00:00

+2 -2

0 comment

2 changed files

pr created time in 5 days

Pull request review commentgoogleapis/gax-dotnet

First stage of the prototype of "REGAPIC" - a gRPC adapter to use REST/JSON

+/*+ * Copyright 2020 Google LLC+ * Use of this source code is governed by a BSD-style+ * license that can be found in the LICENSE file or at+ * https://developers.google.com/open-source/licenses/bsd+ */++using Google.Protobuf;+using Grpc.Core;+using System;+using System.Net;+using System.Net.Http;+using System.Threading;+using System.Threading.Tasks;++namespace Google.Api.Gax.Grpc.Rest+{+    /// <summary>+    /// gRPC "channel" that really uses REST/JSON over HTTP to make RPCs.+    /// The channel is aware of which APIs it supports, so that it's able to perform the+    /// appropriate request translation.+    /// </summary>+    internal sealed class RestChannel : ChannelBase+    {+        private readonly AsyncAuthInterceptor _channelAuthInterceptor;+        private readonly HttpClient _httpClient;+        private readonly RestServiceCollection _serviceCollection;+        private readonly CallInvoker _callInvoker;++        public RestChannel(RestServiceCollection serviceCollection, string endpoint, ChannelCredentials credentials, GrpcChannelOptions options) : base(endpoint)+        {+            _serviceCollection = serviceCollection;++            // Reuse a single CallInvoker however many times CreateCallInvoker is called.+            _callInvoker = new RestCallInvoker(this);+            // TODO: Handle endpoints better...++            // TODO: Avoid creating an HTTP Client for every channel?+            _httpClient = new HttpClient { BaseAddress = new Uri($"https://{endpoint}") };+            _channelAuthInterceptor = credentials.ToAsyncAuthInterceptor();++            // TODO: Use options where appropriate.+        }++        public override CallInvoker CreateCallInvoker() => _callInvoker;++        /// <summary>+        /// Equivalent to <see cref="CallInvoker.AsyncUnaryCall{TRequest, TResponse}(Method{TRequest, TResponse}, string, CallOptions, TRequest)"/>.+        /// </summary>+        internal AsyncUnaryCall<TResponse> AsyncUnaryCall<TRequest, TResponse>(Method<TRequest, TResponse> method, string host, CallOptions options, TRequest request)+        {+            var restMethod = _serviceCollection.GetRestMethod(method);++            var cancellationTokenSource = new CancellationTokenSource();+            var httpResponseTask = SendAsync(restMethod, host, options, request, cancellationTokenSource.Token);+            var responseTask = restMethod.ReadResponseAsync<TResponse>(httpResponseTask);+            var responseHeadersTask = ReadHeadersAsync(httpResponseTask);

nit: should these two calls receive the cancellation token as param?

jskeet

comment created time in 5 days

Pull request review commentgoogleapis/gax-dotnet

First stage of the prototype of "REGAPIC" - a gRPC adapter to use REST/JSON

+/*+ * Copyright 2020 Google LLC+ * Use of this source code is governed by a BSD-style+ * license that can be found in the LICENSE file or at+ * https://developers.google.com/open-source/licenses/bsd+ */++using Grpc.Core;+using System;+using System.Collections.Generic;++namespace Google.Api.Gax.Grpc.Rest+{+    /// <summary>+    /// Methods to convert ChannelCredentials and CallCredentials into AsyncAuthInterceptors,+    /// so we can ask them to populate auth headers.+    /// </summary>+    internal static class CredentialExtensions+    {+        /// <summary>+        /// Returns the async auth interceptor derived from the given channel credentials, or null+        /// if the channel credentials don't involve an interceptor.+        /// </summary>+        /// <param name="credentials">The channel credentials to convert.</param>+        internal static AsyncAuthInterceptor ToAsyncAuthInterceptor(this ChannelCredentials credentials)+        {+            var configurator = new RestChannelCredentialsConfigurator();+            credentials.InternalPopulateConfiguration(configurator, state: null);+            return configurator.Interceptor;+        }++        /// <summary>+        /// Returns the async auth interceptor derived from the given channel credentials, or null+        /// if the channel credentials don't involve an interceptor.+        /// </summary>+        /// <param name="credentials">The channel credentials to convert.</param>+        internal static AsyncAuthInterceptor ToAsyncAuthInterceptor(this CallCredentials credentials)+        {+            var configurator = new RestCallCredentialsConfigurator();+            credentials.InternalPopulateConfiguration(configurator, null);+            return configurator.Interceptor;+        }++        private sealed class RestChannelCredentialsConfigurator : ChannelCredentialsConfiguratorBase+        {+            internal AsyncAuthInterceptor Interceptor { get; private set; }++            // TODO: Validate that we're okay to discard the ChannelCredentials.+            // This isn't very clearly documented...+            public override void SetCompositeCredentials(object state, ChannelCredentials channelCredentials, CallCredentials callCredentials)+            {+                Interceptor = callCredentials.ToAsyncAuthInterceptor();
                var configurator = ChannelCredentialsOnlyConfigurator();
                // If SetComposite is called here, then this fails with NotSupportedException.
                channelCredentials.InternalPopulateConfiguration(configurator, null);
                
                Interceptor = callCredentials.ToAsyncAuthInterceptor();
jskeet

comment created time in 5 days

Pull request review commentgoogleapis/gax-dotnet

First stage of the prototype of "REGAPIC" - a gRPC adapter to use REST/JSON

+/*+ * Copyright 2020 Google LLC+ * Use of this source code is governed by a BSD-style+ * license that can be found in the LICENSE file or at+ * https://developers.google.com/open-source/licenses/bsd+ */++using Grpc.Core;+using System;+using System.Collections.Generic;++namespace Google.Api.Gax.Grpc.Rest+{+    /// <summary>+    /// Methods to convert ChannelCredentials and CallCredentials into AsyncAuthInterceptors,+    /// so we can ask them to populate auth headers.+    /// </summary>+    internal static class CredentialExtensions+    {+        /// <summary>+        /// Returns the async auth interceptor derived from the given channel credentials, or null+        /// if the channel credentials don't involve an interceptor.+        /// </summary>+        /// <param name="credentials">The channel credentials to convert.</param>+        internal static AsyncAuthInterceptor ToAsyncAuthInterceptor(this ChannelCredentials credentials)+        {+            var configurator = new RestChannelCredentialsConfigurator();+            credentials.InternalPopulateConfiguration(configurator, state: null);+            return configurator.Interceptor;+        }++        /// <summary>+        /// Returns the async auth interceptor derived from the given channel credentials, or null+        /// if the channel credentials don't involve an interceptor.+        /// </summary>+        /// <param name="credentials">The channel credentials to convert.</param>+        internal static AsyncAuthInterceptor ToAsyncAuthInterceptor(this CallCredentials credentials)+        {+            var configurator = new RestCallCredentialsConfigurator();+            credentials.InternalPopulateConfiguration(configurator, null);+            return configurator.Interceptor;+        }++        private sealed class RestChannelCredentialsConfigurator : ChannelCredentialsConfiguratorBase+        {+            internal AsyncAuthInterceptor Interceptor { get; private set; }++            // TODO: Validate that we're okay to discard the ChannelCredentials.

Generally, a ChannelCredentials can be a composite itself containing any number of CallCredentials. Given that composite call credentials are not supported (as per line 76), I believe that the "correct" thing to do here is also fail if this ChannelCredential contains call credentials. What I mean is that currently:

// Attempting to use this credentials fails as per line 76
ChannelCredentials toBeUsed = ChannelCredentials.Create(new SslCredentials(), CallCredentials.Compose(/*many call credentials*/));

// But attempting to use this one, doesn't.
ChannelCredentials intermediate = ChannelCredentials.Create(new SslCredentials(), CallCredentials.Compose(/*many call credentials minus one*/));
ChannelCredentials toBeUsed = ChannelCredentials.Create(intermediate, CallCredentials.FromInterceptor(/*interceptor*/));

I think it's fixable with another Configurator as on my suggestion.

jskeet

comment created time in 5 days

Pull request review commentgoogleapis/gax-dotnet

First stage of the prototype of "REGAPIC" - a gRPC adapter to use REST/JSON

+/*+ * Copyright 2020 Google LLC+ * Use of this source code is governed by a BSD-style+ * license that can be found in the LICENSE file or at+ * https://developers.google.com/open-source/licenses/bsd+ */++using Grpc.Core;+using System;+using System.Collections.Generic;+using System.Text;++namespace Google.Api.Gax.Grpc.Rest+{+    class RestChannelCredentialsConfigurator : ChannelCredentialsConfiguratorBase

There's another class named the same and very similar in CredentialExtensions. I believe this one here is not being used, only the one in CredentialExtensions.

jskeet

comment created time in 5 days

Pull request review commentgoogleapis/gax-dotnet

First stage of the prototype of "REGAPIC" - a gRPC adapter to use REST/JSON

+/*+ * Copyright 2020 Google LLC+ * Use of this source code is governed by a BSD-style+ * license that can be found in the LICENSE file or at+ * https://developers.google.com/open-source/licenses/bsd+ */++using Google.Protobuf.Reflection;+using Grpc.Core;+using System.Collections.Generic;+using System.Linq;++namespace Google.Api.Gax.Grpc.Rest+{+    /// <summary>+    /// Implementation of <see cref="GrpcAdapter"/> that uses HTTP/1.1 and JSON,+    /// but via a gRPC <see cref="CallInvoker"/>.+    /// </summary>+    public sealed class RestGrpcAdapter : GrpcAdapter+    {+        private readonly RestServiceCollection _serviceCollection;++        private RestGrpcAdapter(RestServiceCollection serviceCollection) =>+            _serviceCollection = serviceCollection;++        /// <inheritdoc />+        protected override ChannelBase CreateChannelImpl(string endpoint, ChannelCredentials credentials, GrpcChannelOptions options) =>+            new RestChannel(_serviceCollection, endpoint, credentials, options);++        /// <summary>

nit: incomplete docs

jskeet

comment created time in 5 days

pull request commentgoogleapis/gax-dotnet

First stage of the prototype of "REGAPIC" - a gRPC adapter to use REST/JSON

Doh - thanks for both of those. Addressed.

jskeet

comment created time in 6 days

push eventistio/api

Istio Automation

commit sha 3cee6a1d3ab47978cbc5c965cac0281da8826df0

Automator: update common-files@master in istio/api@master (#1763)

view details

push time in 6 days

PR merged istio/api

Automator: update common-files@master in istio/api@master auto-merge cla: yes release-notes-none size/XS

Generated by Automator - 2020-11-25T19:39:58+00:00

+5 -3

0 comment

2 changed files

istio-testing

pr closed time in 6 days

PR opened istio/api

Automator: update common-files@master in istio/api@master

Generated by Automator - 2020-11-25T19:39:58+00:00

+5 -3

0 comment

2 changed files

pr created time in 6 days

pull request commentistio/api

Add autoscale enabled fields and PDB enabled field for IstioOperatorSpec

Where this change helps is the code for the fix can be written against both APIs, instead of having to go back and write it again when the new API comes along.

carolynhu

comment created time in 6 days

Pull request review commentistio/api

[WIP] Add initial Telemetry API definition

 message MeshConfig {       // The default status is "403" (HTTP Forbidden).       string status_on_error = 4;     }++    // EnvoyTracingOpenCensusProvider defines configuration for an OpenCensus tracer writing to+    // an OpenCensus agent backend. See+    // [Envoy's OpenCensus trace configuration](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto)+    // and+    // [OpenCensus trace config](https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto)+    // for details.+    // $hide_from_docs+    message EnvoyTracingOpenCensusProvider {+      // REQUIRED. gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or+      // unix:path). See [gRPC naming docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for+      // details.+      string address = 1;++      // TraceContext selects the context propagation headers used for+      // distributed tracing.+      // $hide_from_docs+      enum TraceContext {+        // Unspecified context. Should not be used for now, but added to reserve+        // the 0 enum value if TraceContext is used outside of a repeated field.+        UNSPECIFIED = 0;+        // Use W3C Trace Context propagation using the `traceparent` HTTP header.+        // See the+        // [Trace Context documentation](https://www.w3.org/TR/trace-context/) for details.+        W3C_TRACE_CONTEXT = 1;+        // Use gRPC binary context propagation using the `grpc-trace-bin` http header.+        GRPC_BIN = 2;+        // Use Cloud Trace context propagation using the+        // `X-Cloud-Trace-Context` http header.+        CLOUD_TRACE_CONTEXT = 3;+        // Use multi-header B3 context propagation using the `X-B3-TraceId`,+        // `X-B3-SpanId`, and `X-B3-Sampled` HTTP headers. See+        // [B3 header propagation README](https://github.com/openzipkin/b3-propagation)+        // for details.+        B3 = 4;+      }++      // Specifies the set of context propagation headers used for+      // distributed tracing.+      // $hide_from_docs+      repeated TraceContext context = 2;+    }++    // $hide_from_docs+    message EnvoyTracingDatadogProvider {+       // REQUIRED. Address of the Datadog Agent.+       string address = 1;+    }++    // $hide_from_docs+    message EnvoyTracingLightStepProvider {+      // REQUIRED. Address of the Lightstep Satellite pool.+      string address = 1;++      // REQUIRED. The Lightstep access token.+      string access_token = 2;++      // Available propagation modes for trace context+      // $hide_from_docs+      enum PropagationMode {+         // Propagate trace context in the single header x-ot-span-context.+         ENVOY = 0;+         // Propagate trace context using LightStep's native format.+         LIGHTSTEP = 1;+         // Propagate trace context using the b3 format.+         B3 = 2;+         // Propagation trace context using the w3 trace-context standard.+         TRACE_CONTEXT = 3;+      }+ +      // Optional. Propagation modes to use by LightStep's tracer.+      repeated PropagationMode propagation_modes = 3;+    }++    // $hide_from_docs+    message EnvoyTracingZipkinAPIProvider {+      // REQUIRED. Specifies the service that implements the Zipkin API.+      // The format is "[<Namespace>/]<Service>". If the <Namespace> is omitted then it is resolved within the same+      // namespace as this configuration resource. The <Service> is the name of the service object (k8s service or ServiceEntry).+      // Example: "foo/zipkin" or "zipkin".+      string service = 1;

From a consistency perspective, wouldn't it be better to just use address (instead of separate service and port) as in the other providers?

douglas-reid

comment created time in 6 days

Pull request review commentistio/api

[WIP] Add initial Telemetry API definition

+// Copyright Istio Authors+//+//   Licensed under the Apache License, Version 2.0 (the "License");+//   you may not use this file except in compliance with the License.+//   You may obtain a copy of the License at+//+//       http://www.apache.org/licenses/LICENSE-2.0+//+//   Unless required by applicable law or agreed to in writing, software+//   distributed under the License is distributed on an "AS IS" BASIS,+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+//   See the License for the specific language governing permissions and+//   limitations under the License.++syntax = "proto3";++import "type/v1beta1/selector.proto";++option go_package = "istio.io/api/telemetry/v1alpha1";++package istio.telemetry.v1alpha1;++// $schema: istio.telemetry.v1alpha1.Telemetry+// $title: Telemetry+// $description: Telemetry configuration for workloads.+// $location: https://istio.io/docs/reference/config/telemetry/telemetry.html+// $aliases: [/docs/reference/config/telemetry/v1alpha1/telemetry]++// Telemetry defines the telemetry generation policies for workloads within a mesh.+// Telemetry policies control runtime configuration of telemetry generation for Istio.+//+// For mesh level configuration, put the policy in root configuration namespace for +// your Istio installation *without* a workload selector.+//+// For any namespace, including the root configuration namespace, it is only valid +// to have a single workload selector-less Telemetry resource. In the case of multiples,+// the oldest known resource will be used to the exclusion of any other resources.+//+// For resources with a workload selector, it is only valid to have one resource selecting+// any given workload. If multiple resources with a workload selector select a single resource,+// the oldest known resource will be used to the exclusion of all other resources.+//+// WARNING: Support for Telemetry policies is under active development and is *not* +// stable or supported by Istio at this time.+//+// Examples:+//+// Policy to enable sending trace data to a Zipkin backend for 10% of all traffic:+// ```yaml+// apiVersion: telemetry.istio.io/v1beta1+// kind: Telemetry+// metadata:+//   name: mesh-default+//   namespace: istio-system+// spec:+//   tracing:+//   - match: {} # apply to all traffic+//     config:+//       providers:+//       - name: "zipkin"+//       reportSpans: true+//       percentageSampler:+//         target: 10.00+// ```+//+// Policy to disable trace reporting for all inbound traffic to the "foo"+// workloads that arrives on port 8090:+// ```yaml+// apiVersion: telemetry.istio.io/v1beta1+// kind: Telemetry+// metadata:+//   name: mesh-default+//   namespace: istio-system+// spec:+//   workloadSelector:+//     labels:+//       service.istio.io/canonical-name: foo+//   tracing:+//   - match:+//       trafficDirection: INBOUND+//       port:+//         number: 8090+//     config:+//       providers:+//       - name: "zipkin"+//       reportSpans: false+// ```+//+// <!-- crd generation tags+// +cue-gen:Telemetry:groupName:telemetry.istio.io+// +cue-gen:Telemetry:version:v1alpha1+// +cue-gen:Telemetry:storageVersion+// +cue-gen:Telemetry:annotations:helm.sh/resource-policy=keep+// +cue-gen:Telemetry:labels:app=istio-pilot,chart=istio,istio=telemetry,heritage=Tiller,release=istio+// +cue-gen:Telemetry:subresource:status+// +cue-gen:Telemetry:scope:Namespaced+// +cue-gen:Telemetry:resource:categories=istio-io,telemetry-istio-io,shortNames=telemetry+// +cue-gen:Telemetry:preserveUnknownFields:false+// +cue-gen:Telemetry:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp+// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.+// Clients may not set this value. It is represented in RFC3339 form and is in UTC.+// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"+// -->+//+// <!-- go code generation tags+// +kubetype-gen+// +kubetype-gen:groupVersion=telemetry.istio.io/v1alpha1+// +genclient+// +k8s:deepcopy-gen=true+// -->+message Telemetry {+  // Optional. Workload selector decides where to apply the Telemetry policy.+  // If not set, the Telemetry policy will be applied to all workloads in the+  // same namespace as the Telemetry policy.+  istio.type.v1beta1.WorkloadSelector workload_selector = 1;++  // Optional. Tracing defines the per-workload overrides for trace span+  // reporting.+  repeated TracingRule tracing = 2;++  // AccessLoggingRule access_logging = 3;+  // MetricsRule metrics = 4;+}++// TracingRule defines how trace spans should be reported (sampling rate, custom tags)+// and under what conditions the reporting should be conducted.+message TracingRule {+  // Defines the conditions under which the associated configuration applies.+  TelemetryRuleMatch match = 1;+  // Customization of the default behavior for tracing.+  TracingConfig config = 2;+}++// TelemetryRuleMatch defines conditions for selecting subsets of mesh traffic+// for a workload. TelemetryRuleMatch is concerned with simplified selection +// based on listener, protocol, and traffic direction.+message TelemetryRuleMatch {++  // TrafficDirection selects for traffic relative to the local+  // proxy. +  enum TrafficDirection {+    // (Default) Match all traffic, regardless of direction.+    ALL_DIRECTIONS = 0;+    // Match outbound traffic leaving the proxy. Use this to select "client-side"+    // traffic in telemetry reporting.+    // Note: Use OUTBOUND for gateways (even including ingress)+    OUTBOUND = 1; +    // Match incoming traffic for the proxy. Use this to select "server-side"+    // traffic in telemetry reporting.+    INBOUND = 2;+ }++  // Protocol selects for traffic based on the identified protocol of that traffic. +  enum Protocol {+    // (Default) Matches all traffic, regardless of protocol+    ALL_PROTOCOLS = 0;+    // Selects for HTTP traffic, including HTTP/1.1, gRPC, HTTP/2.+    HTTP = 1; +    // Selects for all non-HTTP traffic.+    // NOTE: Tracing is currently only supported for HTTP. +    TCP = 2; +  }++  // Optional. Specifies the intended direction of the traffic relative to the local proxy.+  // Defaults to ALL if unset.+  TrafficDirection traffic_direction = 1; ++  // Optional. Specifies the protocol of the traffic.+  // Defaults to ALL if unset.+  Protocol protocol = 2; ++  // Optional. The port on which the traffic is received.+  // Defaults to ALL if unset.+  Port port = 3;+}++// Port specifies the number of a port to be used for+// matching or selection for final routing.+message Port {+  // Valid port number+  uint32 number = 1;+}++// Used to bind Telemetry configuration to specific providers for+// targeted customization.+message ProviderRef {+  // Required. Name of Telemetry provider in MeshConfig.+  string name = 1;+}++// TracingConfig defines the workload-level overrides for tracing behavior within+// a mesh. It can be used to enable/disable tracing, as well as to set sampling+// rates and custom tag extraction.+message TracingConfig {+  // Required. Name of providers to which this configuration should apply. At+  // least one provider needs to be specified.+  repeated ProviderRef providers = 1;

Added a comment further up about providers - not sure whether the Telemetry CR (defining what a workload should emit in terms of tracing telemetry), should contain instructions on where it should be sent (which could just be a mesh configuration/operator concern)?

Given that only one provider can be supported at the moment, this discussion could be deferred and leave the providers field out of the Telemetry CRD for now.

douglas-reid

comment created time in 6 days

Pull request review commentistio/api

[WIP] Add initial Telemetry API definition

+// Copyright Istio Authors+//+//   Licensed under the Apache License, Version 2.0 (the "License");+//   you may not use this file except in compliance with the License.+//   You may obtain a copy of the License at+//+//       http://www.apache.org/licenses/LICENSE-2.0+//+//   Unless required by applicable law or agreed to in writing, software+//   distributed under the License is distributed on an "AS IS" BASIS,+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+//   See the License for the specific language governing permissions and+//   limitations under the License.++syntax = "proto3";++import "type/v1beta1/selector.proto";++option go_package = "istio.io/api/telemetry/v1alpha1";++package istio.telemetry.v1alpha1;++// $schema: istio.telemetry.v1alpha1.Telemetry+// $title: Telemetry+// $description: Telemetry configuration for workloads.+// $location: https://istio.io/docs/reference/config/telemetry/telemetry.html+// $aliases: [/docs/reference/config/telemetry/v1alpha1/telemetry]++// Telemetry defines the telemetry generation policies for workloads within a mesh.+// Telemetry policies control runtime configuration of telemetry generation for Istio.+//+// For mesh level configuration, put the policy in root configuration namespace for +// your Istio installation *without* a workload selector.+//+// For any namespace, including the root configuration namespace, it is only valid +// to have a single workload selector-less Telemetry resource. In the case of multiples,+// the oldest known resource will be used to the exclusion of any other resources.+//+// For resources with a workload selector, it is only valid to have one resource selecting+// any given workload. If multiple resources with a workload selector select a single resource,+// the oldest known resource will be used to the exclusion of all other resources.+//+// WARNING: Support for Telemetry policies is under active development and is *not* +// stable or supported by Istio at this time.+//+// Examples:+//+// Policy to enable sending trace data to a Zipkin backend for 10% of all traffic:+// ```yaml+// apiVersion: telemetry.istio.io/v1beta1+// kind: Telemetry+// metadata:+//   name: mesh-default+//   namespace: istio-system+// spec:+//   tracing:+//   - match: {} # apply to all traffic+//     config:+//       providers:+//       - name: "zipkin"+//       reportSpans: true+//       percentageSampler:+//         target: 10.00+// ```+//+// Policy to disable trace reporting for all inbound traffic to the "foo"+// workloads that arrives on port 8090:+// ```yaml+// apiVersion: telemetry.istio.io/v1beta1+// kind: Telemetry+// metadata:+//   name: mesh-default+//   namespace: istio-system+// spec:+//   workloadSelector:+//     labels:+//       service.istio.io/canonical-name: foo+//   tracing:+//   - match:+//       trafficDirection: INBOUND+//       port:+//         number: 8090+//     config:+//       providers:+//       - name: "zipkin"+//       reportSpans: false+// ```+//+// <!-- crd generation tags+// +cue-gen:Telemetry:groupName:telemetry.istio.io+// +cue-gen:Telemetry:version:v1alpha1+// +cue-gen:Telemetry:storageVersion+// +cue-gen:Telemetry:annotations:helm.sh/resource-policy=keep+// +cue-gen:Telemetry:labels:app=istio-pilot,chart=istio,istio=telemetry,heritage=Tiller,release=istio+// +cue-gen:Telemetry:subresource:status+// +cue-gen:Telemetry:scope:Namespaced+// +cue-gen:Telemetry:resource:categories=istio-io,telemetry-istio-io,shortNames=telemetry+// +cue-gen:Telemetry:preserveUnknownFields:false+// +cue-gen:Telemetry:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp+// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.+// Clients may not set this value. It is represented in RFC3339 form and is in UTC.+// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"+// -->+//+// <!-- go code generation tags+// +kubetype-gen+// +kubetype-gen:groupVersion=telemetry.istio.io/v1alpha1+// +genclient+// +k8s:deepcopy-gen=true+// -->+message Telemetry {+  // Optional. Workload selector decides where to apply the Telemetry policy.+  // If not set, the Telemetry policy will be applied to all workloads in the+  // same namespace as the Telemetry policy.+  istio.type.v1beta1.WorkloadSelector workload_selector = 1;++  // Optional. Tracing defines the per-workload overrides for trace span+  // reporting.+  repeated TracingRule tracing = 2;++  // AccessLoggingRule access_logging = 3;+  // MetricsRule metrics = 4;+}++// TracingRule defines how trace spans should be reported (sampling rate, custom tags)+// and under what conditions the reporting should be conducted.+message TracingRule {+  // Defines the conditions under which the associated configuration applies.+  TelemetryRuleMatch match = 1;+  // Customization of the default behavior for tracing.+  Tracing config = 2;+}++// TelemetryRuleMatch defines conditions for selecting subsets of mesh traffic+// for a workload. TelemetryRuleMatch is concerned with simplified selection +// based on listener, protocol, and traffic direction.+message TelemetryRuleMatch {++  // TrafficDirection selects for traffic relative to the local+  // proxy. +  enum TrafficDirection {+    // (Default) Match all traffic, regardless of direction.+    ALL_DIRECTIONS = 0;+    // Match outbound traffic leaving the proxy. Use this to select "client-side"+    // traffic in telemetry reporting.+    // Note: Use OUTBOUND for gateways (even including ingress)+    OUTBOUND = 1; +    // Match incoming traffic for the proxy. Use this to select "server-side"+    // traffic in telemetry reporting.+    INBOUND = 2;+ }++  // Optional. Specifies the intended direction of the traffic relative to the local proxy.+  // Defaults to ALL if unset.+  TrafficDirection traffic_direction = 1; ++  // Optional. The port on which the traffic is received.+  // Defaults to ALL if unset.+  Port port = 3;+}++// Port specifies the number of a port to be used for+// matching or selection for final routing.+message Port {+  // Valid port number+  uint32 number = 1;+}++// Used to bind Telemetry configuration to specific providers for+// targeted customization.+message ProviderRef {+  // Required. Name of Telemetry provider in MeshConfig.+  string name = 1;+}++// Tracing defines the workload-level overrides for tracing behavior within+// a mesh. It can be used to enable/disable tracing, as well as to set sampling+// rates and custom tag extraction.+message Tracing {+  // Required. Name of providers to which this configuration should apply. At+  // least one provider needs to be specified.+  // NOTE: Only a single provider is currently supported.+  repeated ProviderRef providers = 1;+  +  // Enables the tracing functionality. When this is set to `true`, the+  // sidecar will report spans to a configured backend for all traffic with a trace+  // context that specifies the trace is sampled. Additionally, spans will be+  // generated for traffic without trace contexts based on the+  // `sampler` configuration provided. If `report_spans` is `false` (or unset),+  // the sidecar will ignore the incoming trace context, generating no spans for+  // the traffic (the context will be silently forwarded). This is equivalent to +  // disabling tracing for the sidecar.+  bool report_spans = 2;++  // Controls whether or not Istio-specific tags will be generated for each+  // span created by the sidecar proxies. These tags include information on+  // the canonical service, meh, and namespace involved in the request.+  // Default: true+  bool include_istio_tags = 3;++  // CustomTag defines a tag to be added to a trace span that is based on+  // an operator-supplied value. This value can either be a hard-coded value,+  // a value taken from an environment variable known to the sidecar proxy, or+  // from a request header.+  message CustomTag {+    oneof type {+      // Literal adds the same, hard-coded value to each span.+      Literal literal = 1;+      // Environment adds the value of an environment variable to each span.+      Environment environment = 2;+      // RequestHeader adds the value of an header from the request to each span.+      RequestHeader header = 3;

Envoy also supports creating custom tags from metadata - so would be good to support that here as well.

As a side question - would the access to metadata for creating a custom tag enable a virtual service http route (name), and/or the destination host/subset (version), be recorded on the spans?

douglas-reid

comment created time in 6 days

Pull request review commentistio/api

[WIP] Add initial Telemetry API definition

+// Copyright Istio Authors+//+//   Licensed under the Apache License, Version 2.0 (the "License");+//   you may not use this file except in compliance with the License.+//   You may obtain a copy of the License at+//+//       http://www.apache.org/licenses/LICENSE-2.0+//+//   Unless required by applicable law or agreed to in writing, software+//   distributed under the License is distributed on an "AS IS" BASIS,+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+//   See the License for the specific language governing permissions and+//   limitations under the License.++syntax = "proto3";++import "type/v1beta1/selector.proto";++option go_package = "istio.io/api/telemetry/v1alpha1";++package istio.telemetry.v1alpha1;++// $schema: istio.telemetry.v1alpha1.Telemetry+// $title: Telemetry+// $description: Telemetry configuration for workloads.+// $location: https://istio.io/docs/reference/config/telemetry/telemetry.html+// $aliases: [/docs/reference/config/telemetry/v1alpha1/telemetry]++// Telemetry defines the telemetry generation policies for workloads within a mesh.+// Telemetry policies control runtime configuration of telemetry generation for Istio.+//+// For mesh level configuration, put the policy in root configuration namespace for +// your Istio installation *without* a workload selector.+//+// For any namespace, including the root configuration namespace, it is only valid +// to have a single workload selector-less Telemetry resource. In the case of multiples,+// the oldest known resource will be used to the exclusion of any other resources.+//+// For resources with a workload selector, it is only valid to have one resource selecting+// any given workload. If multiple resources with a workload selector select a single resource,+// the oldest known resource will be used to the exclusion of all other resources.+//+// WARNING: Support for Telemetry policies is under active development and is *not* +// stable or supported by Istio at this time.+//+// Examples:+//+// Policy to enable sending trace data to a Zipkin backend for 10% of all traffic:+// ```yaml+// apiVersion: telemetry.istio.io/v1beta1+// kind: Telemetry+// metadata:+//   name: mesh-default+//   namespace: istio-system+// spec:+//   tracing:+//   - match: {} # apply to all traffic+//     config:+//       providers:+//       - name: "zipkin"+//       reportSpans: true+//       percentageSampler:+//         target: 10.00+// ```+//+// Policy to disable trace reporting for all inbound traffic to the "foo"+// workloads that arrives on port 8090:+// ```yaml+// apiVersion: telemetry.istio.io/v1beta1+// kind: Telemetry+// metadata:+//   name: mesh-default+//   namespace: istio-system+// spec:+//   workloadSelector:+//     labels:+//       service.istio.io/canonical-name: foo+//   tracing:+//   - match:+//       trafficDirection: INBOUND+//       port:+//         number: 8090+//     config:+//       providers:

Not sure if the providers should be defined in the Telemetry resource - if a new provider is added, or an existing one removed (by the Mesh Operator) it would require Application Operators to be aware and then update their CRs.

Would it be better to start with them being independent, and then add the concept of provider into this CRD only if there is a good usecase?

douglas-reid

comment created time in 6 days

Pull request review commentistio/api

[WIP] Add initial Telemetry API definition

+// Copyright Istio Authors+//+//   Licensed under the Apache License, Version 2.0 (the "License");+//   you may not use this file except in compliance with the License.+//   You may obtain a copy of the License at+//+//       http://www.apache.org/licenses/LICENSE-2.0+//+//   Unless required by applicable law or agreed to in writing, software+//   distributed under the License is distributed on an "AS IS" BASIS,+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+//   See the License for the specific language governing permissions and+//   limitations under the License.++syntax = "proto3";++import "type/v1beta1/selector.proto";++option go_package = "istio.io/api/telemetry/v1alpha1";++package istio.telemetry.v1alpha1;++// $schema: istio.telemetry.v1alpha1.Telemetry+// $title: Telemetry+// $description: Telemetry configuration for workloads.+// $location: https://istio.io/docs/reference/config/telemetry/telemetry.html+// $aliases: [/docs/reference/config/telemetry/v1alpha1/telemetry]++// Telemetry defines the telemetry generation policies for workloads within a mesh.+// Telemetry policies control runtime configuration of telemetry generation for Istio.+//+// For mesh level configuration, put the policy in root configuration namespace for +// your Istio installation *without* a workload selector.+//+// For any namespace, including the root configuration namespace, it is only valid +// to have a single workload selector-less Telemetry resource. In the case of multiples,+// the oldest known resource will be used to the exclusion of any other resources.+//+// For resources with a workload selector, it is only valid to have one resource selecting+// any given workload. If multiple resources with a workload selector select a single resource,+// the oldest known resource will be used to the exclusion of all other resources.+//+// WARNING: Support for Telemetry policies is under active development and is *not* +// stable or supported by Istio at this time.+//+// Examples:+//+// Policy to enable sending trace data to a Zipkin backend for 10% of all traffic:+// ```yaml+// apiVersion: telemetry.istio.io/v1beta1+// kind: Telemetry+// metadata:+//   name: mesh-default+//   namespace: istio-system+// spec:+//   tracing:+//   - match: {} # apply to all traffic+//     config:+//       providers:+//       - name: "zipkin"+//       reportSpans: true+//       percentageSampler:+//         target: 10.00+// ```+//+// Policy to disable trace reporting for all inbound traffic to the "foo"+// workloads that arrives on port 8090:+// ```yaml+// apiVersion: telemetry.istio.io/v1beta1+// kind: Telemetry+// metadata:+//   name: mesh-default+//   namespace: istio-system+// spec:+//   workloadSelector:+//     labels:+//       service.istio.io/canonical-name: foo+//   tracing:+//   - match:+//       trafficDirection: INBOUND+//       port:+//         number: 8090+//     config:+//       providers:+//       - name: "zipkin"+//       reportSpans: false

Unclear of the semantics here - if the default telemetry resource is sending tracing to multiple providers, does this resource example imply reporting will be disabled only for reporting to zipkin?

Wondering if this would get too complicated - and if the reportSpans should just apply across all providers, then in this case the providers shouldn't be defined if setting reportSpans: false?

douglas-reid

comment created time in 6 days

more