istio
1300 строк · 38.8 Кб
1// Copyright Istio Authors2//3// Licensed under the Apache License, Version 2.0 (the "License");4// you may not use this file except in compliance with the License.5// You may obtain a copy of the License at6//7// http://www.apache.org/licenses/LICENSE-2.08//9// Unless required by applicable law or agreed to in writing, software10// distributed under the License is distributed on an "AS IS" BASIS,11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.12// See the License for the specific language governing permissions and13// limitations under the License.14package serviceentry16import (18"encoding/json"19"strings"20"testing"21"time"22"istio.io/api/label"24networking "istio.io/api/networking/v1alpha3"25"istio.io/istio/pilot/pkg/features"26"istio.io/istio/pilot/pkg/model"27"istio.io/istio/pilot/pkg/serviceregistry/provider"28labelutil "istio.io/istio/pilot/pkg/serviceregistry/util/label"29"istio.io/istio/pilot/test/util"30"istio.io/istio/pkg/cluster"31"istio.io/istio/pkg/config"32"istio.io/istio/pkg/config/constants"33"istio.io/istio/pkg/config/host"34"istio.io/istio/pkg/config/labels"35"istio.io/istio/pkg/config/protocol"36"istio.io/istio/pkg/config/schema/gvk"37"istio.io/istio/pkg/network"38"istio.io/istio/pkg/spiffe"39"istio.io/istio/pkg/test"40)41var (43GlobalTime = time.Now()44httpNone = &config.Config{45Meta: config.Meta{46GroupVersionKind: gvk.ServiceEntry,47Name: "httpNone",48Namespace: "httpNone",49Domain: "svc.cluster.local",50CreationTimestamp: GlobalTime,51},52Spec: &networking.ServiceEntry{53Hosts: []string{"*.google.com"},54Ports: []*networking.ServicePort{55{Number: 80, Name: "http-number", Protocol: "http"},56{Number: 8080, Name: "http2-number", Protocol: "http2"},57},58Location: networking.ServiceEntry_MESH_EXTERNAL,59Resolution: networking.ServiceEntry_NONE,60},61}62)63var tcpNone = &config.Config{65Meta: config.Meta{66GroupVersionKind: gvk.ServiceEntry,67Name: "tcpNone",68Namespace: "tcpNone",69CreationTimestamp: GlobalTime,70},71Spec: &networking.ServiceEntry{72Hosts: []string{"tcpnone.com"},73Addresses: []string{"172.217.0.0/16"},74Ports: []*networking.ServicePort{75{Number: 444, Name: "tcp-444", Protocol: "tcp"},76},77Location: networking.ServiceEntry_MESH_EXTERNAL,78Resolution: networking.ServiceEntry_NONE,79},80}81var httpStatic = &config.Config{83Meta: config.Meta{84GroupVersionKind: gvk.ServiceEntry,85Name: "httpStatic",86Namespace: "httpStatic",87CreationTimestamp: GlobalTime,88},89Spec: &networking.ServiceEntry{90Hosts: []string{"*.google.com"},91Ports: []*networking.ServicePort{92{Number: 80, Name: "http-port", Protocol: "http"},93{Number: 8080, Name: "http-alt-port", Protocol: "http"},94},95Endpoints: []*networking.WorkloadEntry{96{97Address: "2.2.2.2",98Ports: map[string]uint32{"http-port": 7080, "http-alt-port": 18080},99Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},100},101{102Address: "3.3.3.3",103Ports: map[string]uint32{"http-port": 1080},104Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},105},106{107Address: "4.4.4.4",108Ports: map[string]uint32{"http-port": 1080},109Labels: map[string]string{"foo": "bar"},110},111},112Location: networking.ServiceEntry_MESH_EXTERNAL,113Resolution: networking.ServiceEntry_STATIC,114},115}116// Shares the same host as httpStatic, but adds some endpoints. We expect these to be merge118var httpStaticOverlay = &config.Config{119Meta: config.Meta{120GroupVersionKind: gvk.ServiceEntry,121Name: "httpStaticOverlay",122Namespace: "httpStatic",123CreationTimestamp: GlobalTime,124},125Spec: &networking.ServiceEntry{126Hosts: []string{"*.google.com"},127Ports: []*networking.ServicePort{128{Number: 4567, Name: "http-port", Protocol: "http"},129},130Endpoints: []*networking.WorkloadEntry{131{132Address: "5.5.5.5",133Labels: map[string]string{"overlay": "bar"},134},135},136Location: networking.ServiceEntry_MESH_EXTERNAL,137Resolution: networking.ServiceEntry_STATIC,138},139}140var httpDNSnoEndpoints = &config.Config{142Meta: config.Meta{143GroupVersionKind: gvk.ServiceEntry,144Name: "httpDNSnoEndpoints",145Namespace: "httpDNSnoEndpoints",146CreationTimestamp: GlobalTime,147},148Spec: &networking.ServiceEntry{149Hosts: []string{"google.com", "www.wikipedia.org"},150Ports: []*networking.ServicePort{151{Number: 80, Name: "http-port", Protocol: "http"},152{Number: 8080, Name: "http-alt-port", Protocol: "http"},153},154Location: networking.ServiceEntry_MESH_EXTERNAL,155Resolution: networking.ServiceEntry_DNS,156SubjectAltNames: []string{"google.com"},157},158}159var httpDNSRRnoEndpoints = &config.Config{161Meta: config.Meta{162GroupVersionKind: gvk.ServiceEntry,163Name: "httpDNSRRnoEndpoints",164Namespace: "httpDNSRRnoEndpoints",165CreationTimestamp: GlobalTime,166},167Spec: &networking.ServiceEntry{168Hosts: []string{"api.istio.io"},169Ports: []*networking.ServicePort{170{Number: 80, Name: "http-port", Protocol: "http"},171{Number: 8080, Name: "http-alt-port", Protocol: "http"},172},173Location: networking.ServiceEntry_MESH_EXTERNAL,174Resolution: networking.ServiceEntry_DNS_ROUND_ROBIN,175SubjectAltNames: []string{"api.istio.io"},176},177}178var dnsTargetPort = &config.Config{180Meta: config.Meta{181GroupVersionKind: gvk.ServiceEntry,182Name: "dnsTargetPort",183Namespace: "dnsTargetPort",184CreationTimestamp: GlobalTime,185},186Spec: &networking.ServiceEntry{187Hosts: []string{"google.com"},188Ports: []*networking.ServicePort{189{Number: 80, Name: "http-port", Protocol: "http", TargetPort: 8080},190},191Location: networking.ServiceEntry_MESH_EXTERNAL,192Resolution: networking.ServiceEntry_DNS,193},194}195var httpDNS = &config.Config{197Meta: config.Meta{198GroupVersionKind: gvk.ServiceEntry,199Name: "httpDNS",200Namespace: "httpDNS",201CreationTimestamp: GlobalTime,202},203Spec: &networking.ServiceEntry{204Hosts: []string{"*.google.com"},205Ports: []*networking.ServicePort{206{Number: 80, Name: "http-port", Protocol: "http"},207{Number: 8080, Name: "http-alt-port", Protocol: "http"},208},209Endpoints: []*networking.WorkloadEntry{210{211Address: "us.google.com",212Ports: map[string]uint32{"http-port": 7080, "http-alt-port": 18080},213Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},214},215{216Address: "uk.google.com",217Ports: map[string]uint32{"http-port": 1080},218Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},219},220{221Address: "de.google.com",222Labels: map[string]string{"foo": "bar", label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},223},224},225Location: networking.ServiceEntry_MESH_EXTERNAL,226Resolution: networking.ServiceEntry_DNS,227},228}229var httpDNSRR = &config.Config{231Meta: config.Meta{232GroupVersionKind: gvk.ServiceEntry,233Name: "httpDNSRR",234Namespace: "httpDNSRR",235CreationTimestamp: GlobalTime,236},237Spec: &networking.ServiceEntry{238Hosts: []string{"*.istio.io"},239Ports: []*networking.ServicePort{240{Number: 80, Name: "http-port", Protocol: "http"},241{Number: 8080, Name: "http-alt-port", Protocol: "http"},242},243Endpoints: []*networking.WorkloadEntry{244{245Address: "api-v1.istio.io",246Ports: map[string]uint32{"http-port": 7080, "http-alt-port": 18080},247Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},248},249},250Location: networking.ServiceEntry_MESH_EXTERNAL,251Resolution: networking.ServiceEntry_DNS_ROUND_ROBIN,252},253}254var tcpDNS = &config.Config{256Meta: config.Meta{257GroupVersionKind: gvk.ServiceEntry,258Name: "tcpDNS",259Namespace: "tcpDNS",260CreationTimestamp: GlobalTime,261},262Spec: &networking.ServiceEntry{263Hosts: []string{"tcpdns.com"},264Ports: []*networking.ServicePort{265{Number: 444, Name: "tcp-444", Protocol: "tcp"},266},267Endpoints: []*networking.WorkloadEntry{268{269Address: "lon.google.com",270Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},271},272{273Address: "in.google.com",274Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},275},276},277Location: networking.ServiceEntry_MESH_EXTERNAL,278Resolution: networking.ServiceEntry_DNS,279},280}281var tcpStatic = &config.Config{283Meta: config.Meta{284GroupVersionKind: gvk.ServiceEntry,285Name: "tcpStatic",286Namespace: "tcpStatic",287CreationTimestamp: GlobalTime,288},289Spec: &networking.ServiceEntry{290Hosts: []string{"tcpstatic.com"},291Addresses: []string{"172.217.0.1"},292Ports: []*networking.ServicePort{293{Number: 444, Name: "tcp-444", Protocol: "tcp"},294},295Endpoints: []*networking.WorkloadEntry{296{297Address: "1.1.1.1",298Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},299},300{301Address: "2.2.2.2",302Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},303},304},305Location: networking.ServiceEntry_MESH_EXTERNAL,306Resolution: networking.ServiceEntry_STATIC,307},308}309var httpNoneInternal = &config.Config{311Meta: config.Meta{312GroupVersionKind: gvk.ServiceEntry,313Name: "httpNoneInternal",314Namespace: "httpNoneInternal",315CreationTimestamp: GlobalTime,316},317Spec: &networking.ServiceEntry{318Hosts: []string{"*.google.com"},319Ports: []*networking.ServicePort{320{Number: 80, Name: "http-number", Protocol: "http"},321{Number: 8080, Name: "http2-number", Protocol: "http2"},322},323Location: networking.ServiceEntry_MESH_INTERNAL,324Resolution: networking.ServiceEntry_NONE,325},326}327var tcpNoneInternal = &config.Config{329Meta: config.Meta{330GroupVersionKind: gvk.ServiceEntry,331Name: "tcpNoneInternal",332Namespace: "tcpNoneInternal",333CreationTimestamp: GlobalTime,334},335Spec: &networking.ServiceEntry{336Hosts: []string{"tcpinternal.com"},337Addresses: []string{"172.217.0.0/16"},338Ports: []*networking.ServicePort{339{Number: 444, Name: "tcp-444", Protocol: "tcp"},340},341Location: networking.ServiceEntry_MESH_INTERNAL,342Resolution: networking.ServiceEntry_NONE,343},344}345var multiAddrInternal = &config.Config{347Meta: config.Meta{348GroupVersionKind: gvk.ServiceEntry,349Name: "multiAddrInternal",350Namespace: "multiAddrInternal",351CreationTimestamp: GlobalTime,352},353Spec: &networking.ServiceEntry{354Hosts: []string{"tcp1.com", "tcp2.com"},355Addresses: []string{"1.1.1.0/16", "2.2.2.0/16"},356Ports: []*networking.ServicePort{357{Number: 444, Name: "tcp-444", Protocol: "tcp"},358},359Location: networking.ServiceEntry_MESH_INTERNAL,360Resolution: networking.ServiceEntry_NONE,361},362}363var udsLocal = &config.Config{365Meta: config.Meta{366GroupVersionKind: gvk.ServiceEntry,367Name: "udsLocal",368Namespace: "udsLocal",369CreationTimestamp: GlobalTime,370Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},371},372Spec: &networking.ServiceEntry{373Hosts: []string{"uds.cluster.local"},374Ports: []*networking.ServicePort{375{Number: 6553, Name: "grpc-1", Protocol: "grpc"},376},377Endpoints: []*networking.WorkloadEntry{378{Address: "unix:///test/sock", Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel}},379},380Resolution: networking.ServiceEntry_STATIC,381},382}383// ServiceEntry DNS with a selector385var selectorDNS = &config.Config{386Meta: config.Meta{387GroupVersionKind: gvk.ServiceEntry,388Name: "selector",389Namespace: "selector",390CreationTimestamp: GlobalTime,391},392Spec: &networking.ServiceEntry{393Hosts: []string{"selector.com"},394Ports: []*networking.ServicePort{395{Number: 444, Name: "tcp-444", Protocol: "tcp"},396{Number: 445, Name: "http-445", Protocol: "http"},397},398WorkloadSelector: &networking.WorkloadSelector{399Labels: map[string]string{"app": "wle"},400},401Resolution: networking.ServiceEntry_DNS,402},403}404// ServiceEntry with a selector406var selector = &config.Config{407Meta: config.Meta{408GroupVersionKind: gvk.ServiceEntry,409Name: "selector",410Namespace: "selector",411CreationTimestamp: GlobalTime,412},413Spec: &networking.ServiceEntry{414Hosts: []string{"selector.com"},415Ports: []*networking.ServicePort{416{Number: 444, Name: "tcp-444", Protocol: "tcp"},417{Number: 445, Name: "http-445", Protocol: "http"},418},419WorkloadSelector: &networking.WorkloadSelector{420Labels: map[string]string{"app": "wle"},421},422Resolution: networking.ServiceEntry_STATIC,423},424}425// DNS ServiceEntry with a selector427var dnsSelector = &config.Config{428Meta: config.Meta{429GroupVersionKind: gvk.ServiceEntry,430Name: "dns-selector",431Namespace: "dns-selector",432CreationTimestamp: GlobalTime,433Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},434},435Spec: &networking.ServiceEntry{436Hosts: []string{"dns.selector.com"},437Ports: []*networking.ServicePort{438{Number: 444, Name: "tcp-444", Protocol: "tcp"},439{Number: 445, Name: "http-445", Protocol: "http"},440},441WorkloadSelector: &networking.WorkloadSelector{442Labels: map[string]string{"app": "dns-wle"},443},444Resolution: networking.ServiceEntry_DNS,445},446}447// Service Entry with DNSRoundRobinLB449var dnsRoundRobinLBSE1 = &config.Config{450Meta: config.Meta{451GroupVersionKind: gvk.ServiceEntry,452Name: "dns-round-robin-1",453Namespace: "dns",454CreationTimestamp: GlobalTime,455Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},456},457Spec: &networking.ServiceEntry{458Hosts: []string{"example.com"},459Ports: []*networking.ServicePort{460{Number: 445, Name: "http-445", Protocol: "http"},461{Number: 446, Name: "http-446", Protocol: "http"},462},463Resolution: networking.ServiceEntry_DNS_ROUND_ROBIN,464},465}466var dnsRoundRobinLBSE2 = &config.Config{468Meta: config.Meta{469GroupVersionKind: gvk.ServiceEntry,470Name: "dns-round-robin-2",471Namespace: "dns",472CreationTimestamp: GlobalTime,473Labels: map[string]string{label.SecurityTlsMode.Name: model.IstioMutualTLSModeLabel},474},475Spec: &networking.ServiceEntry{476Hosts: []string{"example.com"},477Ports: []*networking.ServicePort{478{Number: 445, Name: "http-445", Protocol: "http"},479},480Resolution: networking.ServiceEntry_DNS_ROUND_ROBIN,481},482}483func createWorkloadEntry(name, namespace string, spec *networking.WorkloadEntry) *config.Config {485return &config.Config{486Meta: config.Meta{487GroupVersionKind: gvk.WorkloadEntry,488Name: name,489Namespace: namespace,490CreationTimestamp: GlobalTime,491},492Spec: spec,493}494}495func convertPortNameToProtocol(name string) protocol.Instance {497prefix := name498i := strings.Index(name, "-")499if i >= 0 {500prefix = name[:i]501}502return protocol.Parse(prefix)503}504func makeService(hostname host.Name, configNamespace, address string, ports map[string]int,506external bool, resolution model.Resolution, serviceAccounts ...string,507) *model.Service {508svc := &model.Service{509CreationTime: GlobalTime,510Hostname: hostname,511DefaultAddress: address,512MeshExternal: external,513Resolution: resolution,514ServiceAccounts: serviceAccounts,515Attributes: model.ServiceAttributes{516ServiceRegistry: provider.External,517Name: string(hostname),518Namespace: configNamespace,519},520}521if external && features.CanonicalServiceForMeshExternalServiceEntry {523if svc.Attributes.Labels == nil {524svc.Attributes.Labels = make(map[string]string)525}526svc.Attributes.Labels["service.istio.io/canonical-name"] = configNamespace527svc.Attributes.Labels["service.istio.io/canonical-revision"] = "latest"528}529svcPorts := make(model.PortList, 0, len(ports))531for name, port := range ports {532svcPort := &model.Port{533Name: name,534Port: port,535Protocol: convertPortNameToProtocol(name),536}537svcPorts = append(svcPorts, svcPort)538}539sortPorts(svcPorts)541svc.Ports = svcPorts542return svc543}544// MTLSMode is the expected instance mtls settings. This is for test setup only546type MTLSMode int547const (549MTLS = iota550// Like mTLS, but no label is defined on the endpoint551MTLSUnlabelled552PlainText553)554// nolint: unparam556func makeInstanceWithServiceAccount(cfg *config.Config, address string, port int,557svcPort *networking.ServicePort, svcLabels map[string]string, serviceAccount string,558) *model.ServiceInstance {559i := makeInstance(cfg, address, port, svcPort, svcLabels, MTLSUnlabelled)560i.Endpoint.ServiceAccount = spiffe.MustGenSpiffeURI(i.Service.Attributes.Namespace, serviceAccount)561return i562}563// nolint: unparam565func makeTarget(cfg *config.Config, address string, port int,566svcPort *networking.ServicePort, svcLabels map[string]string, mtlsMode MTLSMode,567) model.ServiceTarget {568services := convertServices(*cfg)569svc := services[0] // default570for _, s := range services {571if string(s.Hostname) == address {572svc = s573break574}575}576if mtlsMode == MTLS {577if svcLabels == nil {578svcLabels = map[string]string{}579}580svcLabels[label.SecurityTlsMode.Name] = model.IstioMutualTLSModeLabel581}582return model.ServiceTarget{583Service: svc,584Port: model.ServiceInstancePort{585ServicePort: &model.Port{586Name: svcPort.Name,587Port: int(svcPort.Number),588Protocol: protocol.Parse(svcPort.Protocol),589},590TargetPort: uint32(port),591},592}593}594// nolint: unparam596func makeInstance(cfg *config.Config, address string, port int,597svcPort *networking.ServicePort, svcLabels map[string]string, mtlsMode MTLSMode,598) *model.ServiceInstance {599services := convertServices(*cfg)600svc := services[0] // default601for _, s := range services {602if string(s.Hostname) == address {603svc = s604break605}606}607tlsMode := model.DisabledTLSModeLabel608if mtlsMode == MTLS || mtlsMode == MTLSUnlabelled {609tlsMode = model.IstioMutualTLSModeLabel610}611if mtlsMode == MTLS {612if svcLabels == nil {613svcLabels = map[string]string{}614}615svcLabels[label.SecurityTlsMode.Name] = model.IstioMutualTLSModeLabel616}617return &model.ServiceInstance{618Service: svc,619Endpoint: &model.IstioEndpoint{620Address: address,621EndpointPort: uint32(port),622ServicePortName: svcPort.Name,623Labels: svcLabels,624TLSMode: tlsMode,625},626ServicePort: &model.Port{627Name: svcPort.Name,628Port: int(svcPort.Number),629Protocol: protocol.Parse(svcPort.Protocol),630},631}632}633func TestConvertService(t *testing.T) {635testConvertServiceBody(t)636test.SetForTest(t, &features.CanonicalServiceForMeshExternalServiceEntry, true)637testConvertServiceBody(t)638}639func testConvertServiceBody(t *testing.T) {641t.Helper()642serviceTests := []struct {644externalSvc *config.Config645services []*model.Service646}{647{648// service entry http649externalSvc: httpNone,650services: []*model.Service{651makeService("*.google.com", "httpNone", constants.UnspecifiedIP,652map[string]int{"http-number": 80, "http2-number": 8080}, true, model.Passthrough),653},654},655{656// service entry tcp657externalSvc: tcpNone,658services: []*model.Service{659makeService("tcpnone.com", "tcpNone", "172.217.0.0/16",660map[string]int{"tcp-444": 444}, true, model.Passthrough),661},662},663{664// service entry http static665externalSvc: httpStatic,666services: []*model.Service{667makeService("*.google.com", "httpStatic", constants.UnspecifiedIP,668map[string]int{"http-port": 80, "http-alt-port": 8080}, true, model.ClientSideLB),669},670},671{672// service entry DNS with no endpoints673externalSvc: httpDNSnoEndpoints,674services: []*model.Service{675makeService("google.com", "httpDNSnoEndpoints", constants.UnspecifiedIP,676map[string]int{"http-port": 80, "http-alt-port": 8080}, true, model.DNSLB, "google.com"),677makeService("www.wikipedia.org", "httpDNSnoEndpoints", constants.UnspecifiedIP,678map[string]int{"http-port": 80, "http-alt-port": 8080}, true, model.DNSLB, "google.com"),679},680},681{682// service entry dns683externalSvc: httpDNS,684services: []*model.Service{685makeService("*.google.com", "httpDNS", constants.UnspecifiedIP,686map[string]int{"http-port": 80, "http-alt-port": 8080}, true, model.DNSLB),687},688},689{690// service entry dns with target port691externalSvc: dnsTargetPort,692services: []*model.Service{693makeService("google.com", "dnsTargetPort", constants.UnspecifiedIP,694map[string]int{"http-port": 80}, true, model.DNSLB),695},696},697{698// service entry tcp DNS699externalSvc: tcpDNS,700services: []*model.Service{701makeService("tcpdns.com", "tcpDNS", constants.UnspecifiedIP,702map[string]int{"tcp-444": 444}, true, model.DNSLB),703},704},705{706// service entry tcp static707externalSvc: tcpStatic,708services: []*model.Service{709makeService("tcpstatic.com", "tcpStatic", "172.217.0.1",710map[string]int{"tcp-444": 444}, true, model.ClientSideLB),711},712},713{714// service entry http internal715externalSvc: httpNoneInternal,716services: []*model.Service{717makeService("*.google.com", "httpNoneInternal", constants.UnspecifiedIP,718map[string]int{"http-number": 80, "http2-number": 8080}, false, model.Passthrough),719},720},721{722// service entry tcp internal723externalSvc: tcpNoneInternal,724services: []*model.Service{725makeService("tcpinternal.com", "tcpNoneInternal", "172.217.0.0/16",726map[string]int{"tcp-444": 444}, false, model.Passthrough),727},728},729{730// service entry multiAddrInternal731externalSvc: multiAddrInternal,732services: []*model.Service{733makeService("tcp1.com", "multiAddrInternal", "1.1.1.0/16",734map[string]int{"tcp-444": 444}, false, model.Passthrough),735makeService("tcp1.com", "multiAddrInternal", "2.2.2.0/16",736map[string]int{"tcp-444": 444}, false, model.Passthrough),737makeService("tcp2.com", "multiAddrInternal", "1.1.1.0/16",738map[string]int{"tcp-444": 444}, false, model.Passthrough),739makeService("tcp2.com", "multiAddrInternal", "2.2.2.0/16",740map[string]int{"tcp-444": 444}, false, model.Passthrough),741},742},743}744selectorSvc := makeService("selector.com", "selector", "0.0.0.0",746map[string]int{"tcp-444": 444, "http-445": 445}, true, model.ClientSideLB)747selectorSvc.Attributes.LabelSelectors = map[string]string{"app": "wle"}748serviceTests = append(serviceTests, struct {750externalSvc *config.Config751services []*model.Service752}{753externalSvc: selector,754services: []*model.Service{selectorSvc},755})756for _, tt := range serviceTests {758services := convertServices(*tt.externalSvc)759if err := compare(t, services, tt.services); err != nil {760t.Errorf("testcase: %v\n%v ", tt.externalSvc.Name, err)761}762}763}764func TestConvertInstances(t *testing.T) {766serviceInstanceTests := []struct {767externalSvc *config.Config768out []*model.ServiceInstance769}{770{771// single instance with multiple ports772externalSvc: httpNone,773// DNS type none means service should not have a registered instance774out: []*model.ServiceInstance{},775},776{777// service entry tcp778externalSvc: tcpNone,779// DNS type none means service should not have a registered instance780out: []*model.ServiceInstance{},781},782{783// service entry static784externalSvc: httpStatic,785out: []*model.ServiceInstance{786makeInstance(httpStatic, "2.2.2.2", 7080, httpStatic.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),787makeInstance(httpStatic, "2.2.2.2", 18080, httpStatic.Spec.(*networking.ServiceEntry).Ports[1], nil, MTLS),788makeInstance(httpStatic, "3.3.3.3", 1080, httpStatic.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),789makeInstance(httpStatic, "3.3.3.3", 8080, httpStatic.Spec.(*networking.ServiceEntry).Ports[1], nil, MTLS),790makeInstance(httpStatic, "4.4.4.4", 1080, httpStatic.Spec.(*networking.ServiceEntry).Ports[0], map[string]string{"foo": "bar"}, PlainText),791makeInstance(httpStatic, "4.4.4.4", 8080, httpStatic.Spec.(*networking.ServiceEntry).Ports[1], map[string]string{"foo": "bar"}, PlainText),792},793},794{795// service entry DNS with no endpoints796externalSvc: httpDNSnoEndpoints,797out: []*model.ServiceInstance{798makeInstance(httpDNSnoEndpoints, "google.com", 80, httpDNSnoEndpoints.Spec.(*networking.ServiceEntry).Ports[0], nil, PlainText),799makeInstance(httpDNSnoEndpoints, "google.com", 8080, httpDNSnoEndpoints.Spec.(*networking.ServiceEntry).Ports[1], nil, PlainText),800makeInstance(httpDNSnoEndpoints, "www.wikipedia.org", 80, httpDNSnoEndpoints.Spec.(*networking.ServiceEntry).Ports[0], nil, PlainText),801makeInstance(httpDNSnoEndpoints, "www.wikipedia.org", 8080, httpDNSnoEndpoints.Spec.(*networking.ServiceEntry).Ports[1], nil, PlainText),802},803},804{805// service entry DNS with no endpoints using round robin806externalSvc: httpDNSRRnoEndpoints,807out: []*model.ServiceInstance{808makeInstance(httpDNSRRnoEndpoints, "api.istio.io", 80, httpDNSnoEndpoints.Spec.(*networking.ServiceEntry).Ports[0], nil, PlainText),809makeInstance(httpDNSRRnoEndpoints, "api.istio.io", 8080, httpDNSnoEndpoints.Spec.(*networking.ServiceEntry).Ports[1], nil, PlainText),810},811},812{813// service entry DNS with workload selector and no endpoints814externalSvc: selectorDNS,815out: []*model.ServiceInstance{},816},817{818// service entry dns819externalSvc: httpDNS,820out: []*model.ServiceInstance{821makeInstance(httpDNS, "us.google.com", 7080, httpDNS.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),822makeInstance(httpDNS, "us.google.com", 18080, httpDNS.Spec.(*networking.ServiceEntry).Ports[1], nil, MTLS),823makeInstance(httpDNS, "uk.google.com", 1080, httpDNS.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),824makeInstance(httpDNS, "uk.google.com", 8080, httpDNS.Spec.(*networking.ServiceEntry).Ports[1], nil, MTLS),825makeInstance(httpDNS, "de.google.com", 80, httpDNS.Spec.(*networking.ServiceEntry).Ports[0], map[string]string{"foo": "bar"}, MTLS),826makeInstance(httpDNS, "de.google.com", 8080, httpDNS.Spec.(*networking.ServiceEntry).Ports[1], map[string]string{"foo": "bar"}, MTLS),827},828},829{830// service entry dns with target port831externalSvc: dnsTargetPort,832out: []*model.ServiceInstance{833makeInstance(dnsTargetPort, "google.com", 8080, dnsTargetPort.Spec.(*networking.ServiceEntry).Ports[0], nil, PlainText),834},835},836{837// service entry tcp DNS838externalSvc: tcpDNS,839out: []*model.ServiceInstance{840makeInstance(tcpDNS, "lon.google.com", 444, tcpDNS.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),841makeInstance(tcpDNS, "in.google.com", 444, tcpDNS.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),842},843},844{845// service entry tcp static846externalSvc: tcpStatic,847out: []*model.ServiceInstance{848makeInstance(tcpStatic, "1.1.1.1", 444, tcpStatic.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),849makeInstance(tcpStatic, "2.2.2.2", 444, tcpStatic.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),850},851},852{853// service entry unix domain socket static854externalSvc: udsLocal,855out: []*model.ServiceInstance{856makeInstance(udsLocal, "/test/sock", 0, udsLocal.Spec.(*networking.ServiceEntry).Ports[0], nil, MTLS),857},858},859}860for _, tt := range serviceInstanceTests {862t.Run(strings.Join(tt.externalSvc.Spec.(*networking.ServiceEntry).Hosts, "_"), func(t *testing.T) {863s := &Controller{}864instances := s.convertServiceEntryToInstances(*tt.externalSvc, nil)865sortServiceInstances(instances)866sortServiceInstances(tt.out)867if err := compare(t, instances, tt.out); err != nil {868t.Fatalf("testcase: %v\n%v", tt.externalSvc.Name, err)869}870})871}872}873func TestConvertWorkloadEntryToServiceInstances(t *testing.T) {875labels := map[string]string{876"app": "wle",877}878serviceInstanceTests := []struct {879name string880wle *networking.WorkloadEntry881se *config.Config882clusterID cluster.ID883out []*model.ServiceInstance884}{885{886name: "simple",887wle: &networking.WorkloadEntry{888Address: "1.1.1.1",889Labels: labels,890},891se: selector,892out: []*model.ServiceInstance{893makeInstance(selector, "1.1.1.1", 444, selector.Spec.(*networking.ServiceEntry).Ports[0], labels, PlainText),894makeInstance(selector, "1.1.1.1", 445, selector.Spec.(*networking.ServiceEntry).Ports[1], labels, PlainText),895},896},897{898name: "mtls",899wle: &networking.WorkloadEntry{900Address: "1.1.1.1",901Labels: labels,902ServiceAccount: "default",903},904se: selector,905out: []*model.ServiceInstance{906makeInstanceWithServiceAccount(selector, "1.1.1.1", 444, selector.Spec.(*networking.ServiceEntry).Ports[0], labels, "default"),907makeInstanceWithServiceAccount(selector, "1.1.1.1", 445, selector.Spec.(*networking.ServiceEntry).Ports[1], labels, "default"),908},909},910{911name: "replace-port",912wle: &networking.WorkloadEntry{913Address: "1.1.1.1",914Labels: labels,915Ports: map[string]uint32{916"http-445": 8080,917},918},919se: selector,920out: []*model.ServiceInstance{921makeInstance(selector, "1.1.1.1", 444, selector.Spec.(*networking.ServiceEntry).Ports[0], labels, PlainText),922makeInstance(selector, "1.1.1.1", 8080, selector.Spec.(*networking.ServiceEntry).Ports[1], labels, PlainText),923},924},925{926name: "augment label",927wle: &networking.WorkloadEntry{928Address: "1.1.1.1",929Labels: labels,930Locality: "region1/zone1/sunzone1",931Network: "network1",932ServiceAccount: "default",933},934se: selector,935clusterID: "fakeCluster",936out: []*model.ServiceInstance{937makeInstanceWithServiceAccount(selector, "1.1.1.1", 444, selector.Spec.(*networking.ServiceEntry).Ports[0], labels, "default"),938makeInstanceWithServiceAccount(selector, "1.1.1.1", 445, selector.Spec.(*networking.ServiceEntry).Ports[1], labels, "default"),939},940},941}942for _, tt := range serviceInstanceTests {944t.Run(tt.name, func(t *testing.T) {945services := convertServices(*tt.se)946s := &Controller{}947instances := s.convertWorkloadEntryToServiceInstances(tt.wle, services, tt.se.Spec.(*networking.ServiceEntry), &configKey{}, tt.clusterID)948sortServiceInstances(instances)949sortServiceInstances(tt.out)950if tt.wle.Locality != "" || tt.clusterID != "" || tt.wle.Network != "" {952for _, serviceInstance := range tt.out {953serviceInstance.Endpoint.Locality = model.Locality{954Label: tt.wle.Locality,955ClusterID: tt.clusterID,956}957serviceInstance.Endpoint.Network = network.ID(tt.wle.Network)958serviceInstance.Endpoint.Labels = labelutil.AugmentLabels(serviceInstance.Endpoint.Labels, tt.clusterID, tt.wle.Locality, "", network.ID(tt.wle.Network))959}960}961if err := compare(t, instances, tt.out); err != nil {963t.Fatal(err)964}965})966}967}968func TestConvertWorkloadEntryToWorkloadInstance(t *testing.T) {970workloadLabel := map[string]string{971"app": "wle",972}973clusterID := "fakeCluster"975expectedLabel := map[string]string{976"app": "wle",977"topology.istio.io/cluster": clusterID,978}979workloadInstanceTests := []struct {981name string982getNetworkIDCb func(IP string, labels labels.Instance) network.ID983wle config.Config984out *model.WorkloadInstance985}{986{987name: "simple",988wle: config.Config{989Meta: config.Meta{990Namespace: "ns1",991},992Spec: &networking.WorkloadEntry{993Address: "1.1.1.1",994Labels: workloadLabel,995Ports: map[string]uint32{996"http": 80,997},998ServiceAccount: "scooby",999},1000},1001out: &model.WorkloadInstance{1002Namespace: "ns1",1003Kind: model.WorkloadEntryKind,1004Endpoint: &model.IstioEndpoint{1005Labels: expectedLabel,1006Address: "1.1.1.1",1007ServiceAccount: "spiffe://cluster.local/ns/ns1/sa/scooby",1008TLSMode: "istio",1009Namespace: "ns1",1010Locality: model.Locality{1011ClusterID: cluster.ID(clusterID),1012},1013},1014PortMap: map[string]uint32{1015"http": 80,1016},1017},1018},1019{1020name: "simple - tls mode disabled",1021wle: config.Config{1022Meta: config.Meta{1023Namespace: "ns1",1024},1025Spec: &networking.WorkloadEntry{1026Address: "1.1.1.1",1027Labels: map[string]string{1028"security.istio.io/tlsMode": "disabled",1029},1030Ports: map[string]uint32{1031"http": 80,1032},1033ServiceAccount: "scooby",1034},1035},1036out: &model.WorkloadInstance{1037Namespace: "ns1",1038Kind: model.WorkloadEntryKind,1039Endpoint: &model.IstioEndpoint{1040Labels: map[string]string{1041"security.istio.io/tlsMode": "disabled",1042"topology.istio.io/cluster": clusterID,1043},1044Address: "1.1.1.1",1045ServiceAccount: "spiffe://cluster.local/ns/ns1/sa/scooby",1046TLSMode: "disabled",1047Namespace: "ns1",1048Locality: model.Locality{1049ClusterID: cluster.ID(clusterID),1050},1051},1052PortMap: map[string]uint32{1053"http": 80,1054},1055},1056},1057{1058name: "unix domain socket",1059wle: config.Config{1060Meta: config.Meta{1061Namespace: "ns1",1062},1063Spec: &networking.WorkloadEntry{1064Address: "unix://foo/bar",1065ServiceAccount: "scooby",1066},1067},1068out: &model.WorkloadInstance{1069Namespace: "ns1",1070Kind: model.WorkloadEntryKind,1071Endpoint: &model.IstioEndpoint{1072Labels: map[string]string{1073"topology.istio.io/cluster": clusterID,1074},1075Address: "unix://foo/bar",1076ServiceAccount: "spiffe://cluster.local/ns/ns1/sa/scooby",1077TLSMode: "istio",1078Namespace: "ns1",1079Locality: model.Locality{1080ClusterID: cluster.ID(clusterID),1081},1082},1083DNSServiceEntryOnly: true,1084},1085},1086{1087name: "DNS address",1088wle: config.Config{1089Meta: config.Meta{1090Namespace: "ns1",1091},1092Spec: &networking.WorkloadEntry{1093Address: "scooby.com",1094ServiceAccount: "scooby",1095},1096},1097out: &model.WorkloadInstance{1098Namespace: "ns1",1099Kind: model.WorkloadEntryKind,1100Endpoint: &model.IstioEndpoint{1101Labels: map[string]string{1102"topology.istio.io/cluster": clusterID,1103},1104Address: "scooby.com",1105ServiceAccount: "spiffe://cluster.local/ns/ns1/sa/scooby",1106TLSMode: "istio",1107Namespace: "ns1",1108Locality: model.Locality{1109ClusterID: cluster.ID(clusterID),1110},1111},1112DNSServiceEntryOnly: true,1113},1114},1115{1116name: "metadata labels only",1117wle: config.Config{1118Meta: config.Meta{1119Labels: workloadLabel,1120Namespace: "ns1",1121},1122Spec: &networking.WorkloadEntry{1123Address: "1.1.1.1",1124Ports: map[string]uint32{1125"http": 80,1126},1127ServiceAccount: "scooby",1128},1129},1130out: &model.WorkloadInstance{1131Namespace: "ns1",1132Kind: model.WorkloadEntryKind,1133Endpoint: &model.IstioEndpoint{1134Labels: expectedLabel,1135Address: "1.1.1.1",1136ServiceAccount: "spiffe://cluster.local/ns/ns1/sa/scooby",1137TLSMode: "istio",1138Namespace: "ns1",1139Locality: model.Locality{1140ClusterID: cluster.ID(clusterID),1141},1142},1143PortMap: map[string]uint32{1144"http": 80,1145},1146},1147},1148{1149name: "labels merge",1150wle: config.Config{1151Meta: config.Meta{1152Namespace: "ns1",1153Labels: map[string]string{1154"my-label": "bar",1155},1156},1157Spec: &networking.WorkloadEntry{1158Address: "1.1.1.1",1159Labels: workloadLabel,1160Ports: map[string]uint32{1161"http": 80,1162},1163ServiceAccount: "scooby",1164},1165},1166out: &model.WorkloadInstance{1167Namespace: "ns1",1168Kind: model.WorkloadEntryKind,1169Endpoint: &model.IstioEndpoint{1170Labels: map[string]string{1171"my-label": "bar",1172"app": "wle",1173"topology.istio.io/cluster": clusterID,1174},1175Address: "1.1.1.1",1176ServiceAccount: "spiffe://cluster.local/ns/ns1/sa/scooby",1177TLSMode: "istio",1178Namespace: "ns1",1179Locality: model.Locality{1180ClusterID: cluster.ID(clusterID),1181},1182},1183PortMap: map[string]uint32{1184"http": 80,1185},1186},1187},1188{1189name: "augment labels",1190wle: config.Config{1191Meta: config.Meta{1192Namespace: "ns1",1193},1194Spec: &networking.WorkloadEntry{1195Address: "1.1.1.1",1196Labels: workloadLabel,1197Ports: map[string]uint32{1198"http": 80,1199},1200Locality: "region1/zone1/subzone1",1201Network: "network1",1202ServiceAccount: "scooby",1203},1204},1205out: &model.WorkloadInstance{1206Namespace: "ns1",1207Kind: model.WorkloadEntryKind,1208Endpoint: &model.IstioEndpoint{1209Labels: map[string]string{1210"app": "wle",1211"topology.kubernetes.io/region": "region1",1212"topology.kubernetes.io/zone": "zone1",1213"topology.istio.io/subzone": "subzone1",1214"topology.istio.io/network": "network1",1215"topology.istio.io/cluster": clusterID,1216},1217Address: "1.1.1.1",1218Network: "network1",1219Locality: model.Locality{1220Label: "region1/zone1/subzone1",1221ClusterID: cluster.ID(clusterID),1222},1223ServiceAccount: "spiffe://cluster.local/ns/ns1/sa/scooby",1224TLSMode: "istio",1225Namespace: "ns1",1226},1227PortMap: map[string]uint32{1228"http": 80,1229},1230},1231},1232{1233name: "augment labels: networkID get from cb",1234wle: config.Config{1235Meta: config.Meta{1236Namespace: "ns1",1237},1238Spec: &networking.WorkloadEntry{1239Address: "1.1.1.1",1240Labels: workloadLabel,1241Ports: map[string]uint32{1242"http": 80,1243},1244Locality: "region1/zone1/subzone1",1245ServiceAccount: "scooby",1246},1247},1248getNetworkIDCb: func(IP string, labels labels.Instance) network.ID {1249return "cb-network1"1250},1251out: &model.WorkloadInstance{1252Namespace: "ns1",1253Kind: model.WorkloadEntryKind,1254Endpoint: &model.IstioEndpoint{1255Labels: map[string]string{1256"app": "wle",1257"topology.kubernetes.io/region": "region1",1258"topology.kubernetes.io/zone": "zone1",1259"topology.istio.io/subzone": "subzone1",1260"topology.istio.io/network": "cb-network1",1261"topology.istio.io/cluster": clusterID,1262},1263Address: "1.1.1.1",1264Locality: model.Locality{1265Label: "region1/zone1/subzone1",1266ClusterID: cluster.ID(clusterID),1267},1268ServiceAccount: "spiffe://cluster.local/ns/ns1/sa/scooby",1269TLSMode: "istio",1270Namespace: "ns1",1271},1272PortMap: map[string]uint32{1273"http": 80,1274},1275},1276},1277}1278for _, tt := range workloadInstanceTests {1280t.Run(tt.name, func(t *testing.T) {1281s := &Controller{networkIDCallback: tt.getNetworkIDCb}1282instance := s.convertWorkloadEntryToWorkloadInstance(tt.wle, cluster.ID(clusterID))1283if err := compare(t, instance, tt.out); err != nil {1284t.Fatal(err)1285}1286})1287}1288}1289func compare[T any](t testing.TB, actual, expected T) error {1291return util.Compare(jsonBytes(t, actual), jsonBytes(t, expected))1292}1293func jsonBytes(t testing.TB, v any) []byte {1295data, err := json.MarshalIndent(v, "", " ")1296if err != nil {1297t.Fatal(t)1298}1299return data1300}1301